2013-2014-2015 THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA SENATE TELECOMMUNICATIONS INTERCEPTION AND ACCESS AMENDMENT DATA RETENTION BILL 2015 REVISED EXPLANATORY MEMORANDUM Circulated by authority of the Attorney-General Senator the Honourable George Brandis QC THE MEMORANDUM TAKES ACCOUNT OF AMENDMENTS MADE BY THE HOUSE OF REPRESENTATIVES TO THE BILL AS INTRODUCED AND SUPERSEDES THE REPLACEMENT EXPLANATORY MEMORANDUM PRESENTED TO THE HOUSE OF REPRESENTATIVES ON 19 MARCH 2015 TELECOMMUNICATIONS INTERCEPTION AND ACCESS AMENDMENT DATA RETENTION BILL 2015 GENERAL OUTLINE 1 The last fifteen years have seen significant advancements in communications technology and changes to industry structure practices and consumer behaviour While the tools available to national security and law enforcement agencies in the Telecommunications Interception and Access Act 1979 the TIA Act have been extremely successful in investigating prosecuting and preventing serious criminal offences including murder sexual assault kidnapping drug trafficking money laundering and fraud and activities that threaten national security the value of these tools is being undermined by the level of change in the telecommunications environment 2 Serious and organised criminals and persons seeking to harm Australia‘s national security routinely use telecommunications service providers and communications technology to plan and to carry out their activities Some activities including child pornography are predominantly executed through communications devices such as phones and computers The TIA Act provides a framework for national security and law enforcement agencies to access the information held by communications providers that agencies need to investigate criminal offences and other activities that threaten safety and security 3 A critical tool available under the TIA Act is access to telecommunications data Telecommunications data is information about a communication such as the phone numbers of the people who called each other how long they talked to each other the email address from which a message was sent and the time the message was sent Data is often the first source of lead information for further investigations helping to eliminate potential suspects and to support applications for more privacy intrusive investigative tools including search warrants and interception warrants 4 The global nature of the telecommunications industry and market and the development and growth of new technologies have created a rapid increase in new telecommunications services changed business practices including subscription rather than transaction based billing and encouraged the adoption of new corporate models All of these factors are diminishing traditional business requirements for retaining telecommunications data 5 Currently the TIA Act does not specify any types of data the telecommunications industry should retain for law enforcement and national security purposes or how long that information should be held In lieu of any standardisation individual carriers retain information based on business taxation billing and marketing requirements This means there are significant variations across the telecommunications industry in the types of data available to law enforcement and national security agencies and the period of time that information is available Agencies have publicly identified the lack of availability of data as a key and growing impediment to the ability to investigate and to prosecute serious offences 6 On 24 June 2013 the Parliamentary Joint Committee on Intelligence and Security handed down its report entitled Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation the 2013 PJCIS Report As part of that Inquiry the Committee considered whether a mandatory data retention scheme should be introduced In 2 the 2013 PJCIS Report the PJCIS noted a diversity of views amongst Committee members and made several recommendations about what a mandatory data scheme should include if implemented The Committee also made a number of recommendations about other aspects of the TIA Act 7 The Bill gives effect to several of the PJCIS‘ recommendations including the data retention obligation only applies to telecommunications data not content and internet browsing is explicitly excluded Recommendation 42 service providers are required to protect the confidentiality of retained data by encrypting the information and protecting it from authorised interference or access Recommendation 42 mandatory data retention will be reviewed by the PJCIS by three years after its commencement Recommendation 42 the Commonwealth Ombudsman will oversight the mandatory data retention scheme and more broadly the exercise of law enforcement agencies‘ exercise of powers under Chapters 3 and 4 of the TIA Act Recommendations 4 and 42 and confining agencies‘ use of and access to telecommunications data through refined access arrangements including a ministerial declaration scheme based on demonstrated investigative or operational need Recommendation 5 8 This Bill amends the TIA Act to standardise the types of telecommunications data that service providers must retain under the TIA Act and the period of time for which that information must be held 9 While telecommunications data is less privacy intrusive than content law enforcement and national security agencies can only access data where a case can be made that this information is reasonably necessary to an investigation This Bill further strengthens privacy protections in the TIA Act in relation to data by limiting the types of enforcement agencies that can access telecommunications data 10 Currently any authority or body that enforces a criminal law a law imposing a pecuniary penalty or a law that protects the public revenue is an ‗enforcement agency‘ under the TIA Act and can seek telecommunications data where that access complies with the requirements set out in Chapter 4 of the TIA Act In 2012-13 data was accessed by around 80 Commonwealth State and Territory agencies with law enforcement or revenue protection functions 11 The Bill limits the range of agencies who are a ‗criminal law enforcement agency‘ for the purposes of the TIA Act and provides that any declaration to include any agency ceases to have effect 40 sitting days after entering into force These amendments ensure that only authorities and bodies with a demonstrated need to have telecommunications information can authorise the disclosure of this material These amendments are consistent with Recommendation 5 of the 2013 PJCIS Report that the number of agencies able to access telecommunications data be reduced 3 12 The Bill further enhances privacy protections by introducing an independent oversight mechanism for access to data by law enforcement agencies Under these provisions the Commonwealth Ombudsman will for the first time have the power to inspect the records of enforcement agencies to ensure that agencies are complying with their obligations under the TIA Act The Inspector-General of Intelligence and Security IGIS currently oversights and will continue to oversight access to telecommunications data by the Australian Security Intelligence Organisation ASIO 13 The Bill also amends Chapter 3 of the TIA Act to limit the availability of stored communications warrants in Part 3-3 of the TIA Act to a ‗criminal law-enforcement agency‘ Currently any authority or body that is an ‗enforcement agency‘ can apply for a stored communications warrant under Part 3-3 The Bill limits this power to interception agencies and other law enforcement agencies with a demonstrated need for such information A restricted definition recognises that text messages and emails stored on a phone or other communications device are more akin to content than data and should be subject to greater privacy protection than telecommunications data 14 The Bill was referred to the PJCIS for inquiry on 21 November 2014 The PJCIS tabled its Advisory Report on the Telecommunications Interception and Access Amendment Data Retention Bill 2014 the 2015 PJCIS Report on 27 February 2015 15 The PJCIS concluded that implementation of a mandatory data retention regime is necessary to maintain the capability of national security and law enforcement agencies and recommended that the Bill be passed recommendation 39 The PJCIS also recommended that the Bill be amended to strengthen the privacy safeguards and oversight mechanisms contained in the data retention scheme 16 On 3 March 2015 the Government announced that it would accept all of the Committee‘s recommendations and on 19 March 2015 the House of Representatives agreed to amendments to the Bill and to the Intelligence Services Act 2001 the Telecommunications Act 1997 the Privacy Act 1988 and the Australian Security Intelligence Organisation Act 1979 to give effect to the 2015 PJCIS Report 17 The House of Representatives also agreed to amendments to implement the ‗journalist information warrant‘ The journalist information warrants regime prohibits agencies from making authorisations to access journalists‘ or their employers‘ data for the purpose of identifying a confidential source unless a journalist information warrant is in force The journalist information warrants regime recognises the public interest in protecting journalists‘ sources while ensuring agencies have the investigative tools necessary to protect the community FINANCIAL IMPACT 18 The Bill will have financial impacts on service providers who will be required to meet the new minimum data retention obligations Independent costings work was undertaken with a sample of affected service providers that cover the vast majority of services offered in Australia were consulted on the development of the policy and in assessing the regulatory impacts of the Bill 4 STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS Prepared in accordance with Part 3 of the Human Rights Parliamentary Scrutiny Act 2011 Telecommunications Interception and Access Amendment Data Retention Bill 2015 19 This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights Parliamentary Scrutiny Act 2011 Overview of the Bill 20 The Telecommunications Interception and Access Amendment Data Retention Bill 2015 Bill amends the Telecommunications Interception and Access Act 1979 the TIA Act and the Telecommunications Act 1997 the Telecommunications Act to introduce a statutory obligation for telecommunications service providers to retain for two years particular types of telecommunications data 21 The Bill amends the TIA Act to specify the types of information or documents that service providers must retain the data set to comply with their data retention obligations Telecommunications data including subscriber information is currently kept by service providers for billing quality assurance and other business purposes However the evolution of business models associated with Internet Protocol IP convergence has led to less telecommunications data being created by and or held on service provider systems Consequently there is an associated decrease in the availability of certain types of information that would assist law enforcement and intelligence agencies with their investigations 22 The purpose of the Bill is to require service providers to retain a strictly defined subset of telecommunications data produced in the course of providing telecommunications services This ensures the availability of a specified range of basic telecommunications data for law enforcement and national security purposes Telecommunications data is central to virtually every counter-terrorism organised crime counter-espionage and cyber-security investigation as well as almost every serious criminal investigation such as murder rape and kidnapping Telecommunications data is increasingly important to Australia‘s law enforcement and national security agencies allowing agencies to determine how and with whom a person has been communicating Access to telecommunications data also infringes less on personal privacy compared to other covert investigative methods as it does not include the content or substance of the communication 23 Access to telecommunications data has proven to be a critical tool for security and law enforcement agencies providing both intelligence and evidence when identifying and prosecuting offenders Telecommunications data provides agencies with an irrefutable method of tracing all telecommunications from end-to-end It can also be used to demonstrate an association between two or more people prove that two or more people communicated at a particular time such as before the commission of an alleged offence or exclude a person from further inquiry The attrition of data will have a deleterious impact on law enforcement agencies' intelligence and evidence gathering capabilities In June 2013 the Parliamentary Joint Committee on Intelligence and Security PJCIS concluded that telecommunications 5 industry changes are resulting in ‗an actual degradation of the investigative capabilities of the national security agencies which is likely to accelerate in future‘ A European investigation provides an example of the difference data retention can make—in a major Europol child exploitation investigation UK investigators with the advantage of retained data identified 240 out of 371 suspects in their jurisdiction almost 65% securing 121 convictions Germany on the other hand without data retention identified less than 2% 7 out of 377 suspects and convicted none 24 Access to historical data and analysis of inter-linkages with other data sources is vital to both reactive investigations into serious crime and the development of proactive intelligence on organised criminal activity and matters affecting national security In 2012 the Queensland Crime and Misconduct Commission now the Crime and Corruption Commission stated that more than one-fifth of all of their investigations were being undermined by telecommunications data not being kept In 2014 the Australian Federal Police AFP revealed that it could not identify more than one-third of all suspects in a current major child exploitation investigation because the necessary telecommunications data is not available 25 The data retention measures contained in the Bill ensure the retention of the basic telecommunications data that is essential to support Australian law enforcement and security agencies in the performance of their functions 26 The Bill also amends the TIA Act to bolster the privacy protections associated with the access to and use of telecommunications data It achieves this by limiting the agencies which may authorise access to telecommunications data and by providing that agencies‘ access to and use of telecommunications data is subject to comprehensive oversight by the Commonwealth Ombudsman 27 Notably the measures contained in the Bill do not increase or otherwise modify the powers of Australian agencies in relation to access to the content of communications 28 The Bill incorporates amendments made following the consideration of the Parliamentary Joint Committee on Intelligence and Security‘s Advisory Report on the Telecommunications Interception and Access Amendment Data Retention Bill 2014 the 2015 PJCIS Report The amendments increase Parliamentary oversight of the mandatory data retention scheme and strengthen safeguards oversight and accountability mechanisms relating to access to telecommunications data more broadly 29 In response to a recommendation in the 2015 PJCIS Report the Bill amends the Intelligence Services Act 2001 the ISA to give the PJCIS the ability to inquire into operational matters relating to the use of telecommunications data by the Australian Security Intelligence Organisation ASIO and the Australian Federal Police the AFP in relation to the AFP‘s counter-terrorism functions 30 Amendments to the Telecommunications Act 1997 the Telecommunications Act the Privacy Act 1988 the Privacy Act and the Australian Security Intelligence Organisation Act 1979 included in the Bill give effect to recommendations in the 2015 PJCIS Report 31 The Bill also introduces a journalist information warrant regime Under this regime agencies are prohibited from authorising disclosure of a journalists‘ or their employers‘ 6 telecommunications data for the purposes of identifying a source of the journalist without a warrant Parliamentary Joint Committee on Intelligence and Security recommendations on data retention – 2013 and 2015 Reports 32 The 2013 PJCIS Report noted that there was a diversity of views within the Committee as to whether there should be a mandatory data retention regime The PJCIS observed that the issue of whether there should be a mandatory data retention regime was ultimately a decision for Government However if the Government was persuaded that a mandatory data retention regime should proceed the PJCIS provided guidance on the particulars of a data retention regime including that any mandatory data retention regime should apply only to ‗metadata‘ and exclude content the controls on access to communications data remain the same as under the current regime internet browsing data should be explicitly excluded the data should be stored securely by making encryption mandatory save for existing provisions enabling agencies to retain data for a longer period of time data retained under a new regime should be for no more than two years and an independent audit function be established within an appropriate agency to ensure that communications content is not stored by telecommunications service providers and oversight of agencies‘ access to telecommunications data by the Ombudsmen and the Inspector-General of Intelligence and Security recommendation 42 33 The data retention scheme set out in the Bill is consistent with the majority of the PJCIS‘s recommendations in relation to a mandatory data retention obligation 34 The data retention scheme recognises that the ability to lawfully access telecommunications data held by telecommunications service providers is a vital tool for agencies Criminals and persons engaged in activities prejudicial to security use the full range of modern telecommunications services to communicate and to coordinate and manage their activities The availability of encrypted services is also impacting on the utility of access to telecommunications content making telecommunications data an increasingly valuable investigative tool 35 The utility of access to telecommunications data is clearly demonstrated in its ability to provide critical evidence and intelligence in terrorist and other criminal prosecutions There is a risk that if the Government does not imminently address the issue of data attenuation there will be a serious deterioration of this important investigative capability and the effectiveness of national security and law enforcement agencies across the nation to prevent or detect serious crime and safeguard national security will be seriously impacted In addition to being broadly consistent with the PCJIS‘s views on parameters for a data retention regime the scheme is reasonable and proportionate to the law enforcement and national security aims to be supported by limiting the retention obligations to categories of data 7 critically required by law enforcement and intelligence agencies to investigate and solve crime and to protect national security The scheme is also bolstered by refinements to data access arrangements and a new oversight regime providing important safeguards further contributing towards providing a reasonable and proportional response to the challenges of declining availability of telecommunications data for law enforcement and security purposes 36 The PJCIS concluded in its 2015 Report on the Bill that implementation of a mandatory data retention regime is necessary to maintain the capability of national security and law enforcement agencies and recommended that the Bill be passed recommendation 39 The PJCIS also recommended that the Bill be amended to strengthen the privacy safeguards and oversight mechanisms contained in the data retention scheme 37 The Government accepted all of the Committee‘s recommendations on 3 March 2015 Following amendments to the Bill by the House of Representatives the Bill provides for increased Parliamentary oversight of the mandatory data retention scheme and strengthened safeguards oversight and accountability mechanisms that engage and promote human rights Overview of Schedules 38 Schedule 1 requires providers of telecommunications services to retain telecommunications data associated with a communication specified in subsection 187AA for a period of two years section 187C Section 187AA lists the information and documents that service providers must retain in order to comply with their data retention obligations providing certainty and clarity to service providers and telecommunications users about the information retained under the scheme 39 The data set is supported by a declaration making power in subsection 187AA 2 so that the data set can be amended where necessary to rapidly respond to advances in telecommunications technology or the use of telecommunications services Declarations are subject to Parliamentary disallowance and expire 40 sitting days of either House of Parliament after the declaration comes into force The Attorney-General must refer any proposed legislative amendments to the data set to the PJCIS and give the PJCIS at least 15 sitting days of a House of Parliament to review the amendment and to issue a report These requirements support flexibility to address developments requiring amendment to the data set as well as providing for rigorous scrutiny of any amendments to the data set 40 Subsection 187A 4 puts beyond doubt that service providers cannot be required to keep information about the content or substance of a communication nor an address to which a communication was sent on the internet from a telecommunications device or from which a communication was sent on the internet by a telecommunications device using an internet access service or obtained only as a result of providing the service This limitation means that service providers cannot be required to keep information about subscribers‘ web browsing history 41 Paragraph 187A 4 c clarifies that service providers are only required to retain telecommunications data to the extent that such information is in fact available to a particular service provider Providers are not required to retain information about communications passing ‗over the top‘ of the underlying service they provide which are being carried by means of another service operated by another provider 8 42 Schedule 1 also permits service providers to seek approval of data retention implementation plans providing industry with the ability to seek endorsement of a strategy to achieve compliance with the data retention obligation over 18 months from the commencement of the obligation The implementation period allows industry to achieve compliance over an extended period 43 The Schedule also permits service providers to seek an exemption from data retention obligations The exemption framework complements and sits alongside the implementation plan framework providing further flexibility to ensure data retention obligations may be qualified to the extent appropriate having regard to national security and law enforcement considerations and the objects of the Telecommunications Act 1997 44 Under the exemption framework the Communications Access Coordinator the CAC as defined under section 6R of the TIA Act may exempt service providers from being required to or vary their obligations to retain telecommunications data at all retain specified telecommunications data in respect of one or more types of telecommunications services retain specified telecommunications data for the full retention period protect the confidentiality of retained data through encryption and prevention of unauthorised interference or access 45 Section 187B exempts certain service providers from data retention obligations unless the CAC has declared that a service operated by a particular service provider must comply with the data retention scheme Before making a declaration the CAC must consider the objects of the Privacy Act and if there is any uncertainty or a need for clarification consult with the Australian Privacy Commissioner The CAC must consider any submissions made by the Privacy Commissioner as a result of such consultation Further the CAC must as soon as practicable give written notice of any declaration made under subsection 187B 2 to the Minister and in turn the Minister must give written notice to the PJCIS as soon as practicable These measures enhance existing privacy protections by requiring the CAC to consider applicable privacy considerations and ensures that the Privacy Commissioner is consulted where necessary as part of the CAC‘s deliberations 46 Section 187LA provides that the Privacy Act applies in relation to a service provider to the extent that the activities of the service provider relate to retained data This means that the Privacy Act and the Australian Privacy Principles APPs apply to the data retention activities of all service providers including operators that would otherwise be exempt from the Privacy Act Section 187LA provides that information or documents kept under the data retention regime are ‗personal information‘ for the purposes of the Privacy Act As a result individuals are able to request access to their personal retained data in accordance with APP 12 Consistent with the APPs service providers are able to charge an individual for providing access to this information 47 Section 187BA supplements existing information security obligations under the Privacy Act and the Telecommunications Consumer Protection Code by requiring service providers to protect and to encrypt retained telecommunications data 9 48 Schedule 1 facilitates the enforcement of the data retention scheme by making the data retention obligation and compliance with any implementation plan subject to civil penalty provisions under the Telecommunications Act 1997 49 Currently section 180F of the TIA Act requires authorised officers to ‗have regard to‘ the impact on an individual‘s privacy before authorising a service provider to disclose telecommunications data 50 The Bill increases this obligation to require authorising officers to be ‗satisfied on reasonable grounds‘ that a proposed disclosure or use of telecommunications data is justifiable and proportionate to the interference with the privacy of any person or persons that may result from the disclosure or use of the data Authorising officers are also required to consider a number of additional factors before making an authorisation including the gravity of the conduct being investigated the reason why the disclosure is proposed to be authorised and the likely relevance and usefulness of the information to the investigation 51 Schedule 2 limits the range of agencies that are able to access telecommunications data and stored communications 52 The Bill amends the TIA Act to provide that only criminal law-enforcement agencies are able to access stored communications and to require the preservation of stored communications Criminal law-enforcement agencies are defined to mean interception agencies Commonwealth State and Territory police and anti-corruption agencies that are able to obtain warrants to intercept communications under the TIA Act the Australian Customs and Border Protection Service Customs the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission and authorities or bodies declared by the Minister to be a criminal law-enforcement agency 53 Subsection 110A 3B requires that the Minister must not make a declaration unless satisfied on reasonable grounds that the functions of the authority or body include investigating serious contraventions In considering whether to make a declaration the Minister must consider several specified factors including whether the authority or body is required to comply with the APPs or is required to comply with a binding scheme that protects personal information or has agreed in writing to comply with a scheme providing such protection of personal information if a declaration is made 54 The measures contained in Schedule 2 similarly reduce the range of agencies that are able to access telecommunications data to ‗enforcement agencies‘ being criminal law-enforcement agencies and authorities or bodies that have been declared by the Minister as enforcement agencies where the agencies satisfy certain criteria that support a clear and genuine need to access telecommunications data for their investigations 55 Subsection 176A 3A requires that the Minister must not make a declaration unless satisfied on reasonable grounds that the functions of the authority or body include enforcing 10 the criminal law or administering a law that either imposes a pecuniary penalty or relates to the protection of the public revenue 56 In considering whether to make a declaration the Minister must consider several specified factors including whether the authority or body is required to comply with the APPs or is required to comply with a binding scheme that protects personal information or has agreed in writing to comply with a scheme providing such protection of personal information if a declaration is made 57 The characteristics of a binding scheme in relation to the protection of personal information must include a mechanism for monitoring the authority‘s or body‘s compliance with the scheme and enable individuals to seek recourse if their personal information is mishandled 58 Any Ministerial declarations made in relation to criminal law enforcement and enforcement agencies cease to have effect 40 sitting days after a declaration comes into force Any permanent amendment to the list of criminal law-enforcement agencies or enforcement agencies must be introduced through amendments to the TIA Act and referred to the PJCIS for review providing at least 15 sitting days of a House of Parliament to review the amendment and to issue a report These requirements support flexibility to support additional agencies in the performance of their functions that meet the threshold requirements while providing for rigorous scrutiny of any expansion to the scope of criminal law enforcement agencies 59 The limitations on who may access stored communications and telecommunications data are complemented by enhanced oversight through a comprehensive Commonwealth Ombudsman oversight model Schedule 3 60 Schedule 3 specifies record-keeping reporting oversight and accountability requirements relating to agencies‘ use of and access to telecommunications data Specifically the Bill extends the Commonwealth Ombudsman‘s remit to facilitate independent oversight of agency compliance with powers exercised under Chapter 3 stored communications and Chapter 4 access to telecommunications data of the TIA Act and prescribes detailed reporting obligations in relation to access to stored communications and telecommunications data to assess agency compliance with the statutory scheme 61 Schedule 3 provides support for the Ombudsman oversight role by criminalising circumstances where a person fails to comply with a request to attend before an inspecting officer to give information or to answer questions from the Ombudsman in relation to compliance by the agency with the provisions relating to access to telecommunications data and in relation to a criminal law enforcement agency in relation to access to stored communications The Bill also creates a mirror offence to support the Ombudsman in oversight of the interception of communications The penalty for these offences is 6 months imprisonment 11 Human rights implications 62 The Bill engages the following human rights protection against arbitrary or unlawful interference with privacy contained in Article 17 of the International Covenant on Civil and Political Rights ICCPR the right to a fair hearing the right to minimum guarantees in criminal proceedings and the presumption of innocence contained in Article 14 of the ICCPR the right to freedom of expression contained in Article 19 of the ICCPR the right to life and the right to security of the person contained in Articles 6 and 9 of the ICCPR respectively and the right to an effective remedy contained in Article 2 3 of the ICCPR Right to protection against arbitrary or unlawful interferences with privacy—Article 17 of the ICCPR 63 The Bill engages the right to protection against arbitrary and unlawful interferences with privacy in Article 17 of the ICCPR Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with their privacy family home or correspondence 64 The use of the term ‗arbitrary‘ means that any interference with privacy must be in accordance with the provisions aims and objectives of the ICCPR and should be reasonable in the particular circumstances The United Nations Human Rights Committee has interpreted ‗reasonableness‘ to imply that any limitation must be proportionate and necessary in the circumstances 65 The right to privacy under Article 17 can be permissibly limited in order to achieve a legitimate objective and where the limitations are lawful and not arbitrary In order for an interference with the right to privacy to be permissible the interference must be authorised by law be for a reason consistent with the ICCPR and be reasonable in the particular circumstances The United Nations Human Rights Committee has interpreted the requirement of ‗reasonableness‘ to imply that any interference with privacy must be proportionate to a legitimate end and be necessary in the circumstances of any given case 66 In this case the legitimate end is the protection of national security public safety addressing crime and protecting the rights and freedoms of individuals by requiring the retention of a basic set of communications data required to support relevant investigations 67 The Bill permissibly limits an individual‘s privacy in correspondence telecommunications in a way which is reasonable and proportionate by circumscribing the types of telecommunications data that are to be retained by service providers to the essential categories of data required to advance criminal and security investigations permitting access to telecommunications data only in circumstances specified in the TIA Act and reducing the range of agencies who can access data under those provisions 68 To the extent that the right to privacy is impinged the interference corresponds to a ‗pressing social need‘ that is the need for law enforcement agencies to effectively investigate and prosecute crime The limitation is proportionate because the measures are 12 precisely directed to the legitimate aim being pursued Rather than requiring retention of a broad range of telecommunications data the Bill expressly limits the data to be retained to certain types and moreover excludes data representing a greater level of intrusion 69 The provisions of the Bill engage the right to privacy in the following manner 70 Schedule 1 The introduction of a regime whereby service providers must retain a specifically defined set of telecommunications data for a two year period engages the right to privacy The regime requires that service providers retain and store data which is personal information for the purposes of the Privacy Act 1998 the Privacy Act 71 The Bill also includes a mechanism for the Communications Access Coordinator the CAC to exempt a service provider from some or all of the mandatory data retention requirements with or without conditions or qualifications either entirely in respect of a specified kind of service or in relation to the retention period 72 Schedules 2 and 3 Reduce the number and range of agencies that may access telecommunications data and extend the remit of the Ombudsman to oversight law enforcement agencies compliance with the framework for access to and use of telecommunications data under Chapter 4 of the TIA Act Schedules 2 and 3 also extend and enhance the Ombudsman‘s oversight of law enforcement agencies‘ access to and use of stored communications These amendments promote protection from unlawful and arbitrary interference with privacy by ensuring that access to data only occurs in confined circumstances as dictated by operational need and that the ability to become an agency who may access telecommunications data is closely circumscribed and subject to parliamentary scrutiny Protection from unlawful and arbitrary interference is likewise promoted by the conferral of an oversight role on the Ombudsman The prospect of review and accountability provides a strong and positive incentive for strict compliance thereby supporting privacy protection and obviating against unlawful or arbitrary interference with this right Schedule 1—Data retention obligations and mandatory dataset 73 Schedule 1 amends the TIA Act to create a requirement for service providers to retain and to secure for two years telecommunications data prescribed by section 187AA The framework allows service providers to seek exemptions for the requirement from the Communications Access Co-ordinator supporting providers in respect of telecommunications services that may be of lesser relevance to law and security purposes The ability to grant exemptions provides a further mechanism to minimise privacy intrusion through the retention of telecommunications data having regard to the interests of law enforcement and national security 74 The legislative requirement for providers to store the telecommunications data in relation to its services engages the right to protection against arbitrary and unlawful interference with privacy Specification of the types of data that may be retained minimises the privacy impacts associated with the storage of telecommunications data ensuring that only narrow categories of telecommunications data necessary for the investigation of serious criminal offences and national security threats are retained In summary privacy and other rights-based implications are minimised because 13 1 the prescribed information or documents that must be retained is confined in ambit so that only non-content data available to a particular service provider which is critical to initiating or furthering law enforcement investigations is required to be kept 2 the data retention regime is supported by new Parliamentary and Commonwealth Ombudsman oversight of agencies‘ access to and use of telecommunication data coupled with obligations under the Privacy Act in relation to privacy protections and accountability standards for service providers in relation to customers‘ personal information consistent with contemporary community expectations and 3 the scheme will be reviewed within three years of the conclusion of the implementation phase of the obligation providing an opportunity for further Parliamentary scrutiny of the proportionality and effectiveness of the response and impact on privacy Security and destruction of retained data 75 The Bill contains a range of safeguards to ensure that the rights of individuals in particular the privacy rights of individual telecommunications users are protected The right to privacy is permissibly limited and the limitation is reasonable necessary and proportionate to a legitimate aim 76 Telecommunications service providers currently retain store and destroy a wide range of telecommunications data for their own purposes and to comply with other legislative obligations Accordingly many service providers already have arrangements for the storage and protection of this information consistent with their existing data protection obligations under the Privacy Act or state territory equivalent legislation Importantly the Bill provides that the Australian Privacy Principles APPs in the Privacy Act apply to data retained under the data retention regime The Privacy Commissioner can therefore oversight service providers‘ collection and use of data required to be retained under the data retention regime 77 The Bill includes a requirement that service providers protect retained data through encryption and preventing unauthorised access and interference This obligation supplements existing requirements under the Privacy Act and Telecommunications Consumer Protection Code adding an additional layer of privacy and security protection for customer data supporting the confidentiality of that information 78 These requirements will be supplemented by the proposed Telecommunications Sector Security Reforms TSSR 1 which will require service providers to do their best to prevent unauthorised access to and unauthorised interference with retained telecommunications data 1 The Privacy Act sets out the circumstances in which a carrier or carriage service provider C CSP may use or disclose personal information and sets out detailed requirements that must be met before a C CSP may disclose personal information outside Australia The proposed Telecommunications Sector Security Reform as recommended by the Parliamentary Joint Committee on Intelligence and Security will involve introducing a new obligation on C CSPs to do their best to prevent unauthorised access and unauthorised interference to telecommunications networks and facilities including where a C CSP outsources functions 14 79 The privacy implications associated with the increased volume of data which may be generated by the mandatory dataset arrangements are mitigated by the existing statutory obligations on service providers to ensure the quality and or correctness of any personal information APP 10 and to keep personal information secure APP 11 as well as in relation to the destruction of personal information Telecommunications service providers currently retain information of the type which is being contemplated under the data retention scheme for their own functions and purposes including billing customers 80 Service providers are also subject to the data protection obligations contained in Part 13 of the Telecommunications Act Under section 309 of the Telecommunications Act the Information Commissioner oversees compliance by telecommunications providers with Part 13 of that Act This includes monitoring the record-keeping of service providers and ensuring that the grounds for disclosures under Part 13 are recorded by service providers and authorised by the Telecommunications Act and the TIA Act The specified dataset 81 Section 187AA sets out the types of information and documents that service providers are required to retain in accordance with the mandatory data retention obligation 82 Item 1 Table in section 187AA—subscriber of the relevant service and accounts services telecommunications devices and other relevant services relating to the relevant service Information regarding the subscriber of a relevant service is information that is critical for linking the identity of a person to the use of a relevant service Information about accounts telecommunications devices and other relevant services relating to the relevant service likewise provide basic and essential information about the subscription to and use of a relevant service 83 The information covered by Item 1of the Table is essential for any investigation involving communications made from a service as it enables investigating authorities to establish the details of who is involved in making a communication This type of information is already broadly retained by service providers as part of general customer records for up to 7 years 84 The retention of this data category is reasonable proportionate and necessary in fulfilment of the legitimate aim of ensuring law enforcement and intelligence agencies have the investigative tools to safeguard national security and prevent or detect serious and organised crime In the absence of the retention of this type of information it may be exceedingly difficult or impossible to determine who has made a communication of interest Subscriber information provides the critical link between communications and the subscriber to the service Without this basic information agencies may be unable to commence an investigation as it can otherwise be impossible to link a suspect communication to a particular subscriber thereby providing no avenues to further investigations This is particularly the case in relation to crime types making extensive use of telecommunications in their perpetration for example the distribution of child pornography It is notable that subscriber data as the predominant data category which would be generated through the collection of customer information raises relatively fewer privacy implications than traffic and location data comparators 85 Item 2 Table in section 187AA—the source of a communication This category covers the identifier or combination of identifiers which are used by the service provider to describe 15 the account service and or device from which a successful or attempted communication is sent An example of such an identifier is a telephone number The source of a communication is critical for the purpose of the investigation detection and prosecution of serious crime and security threats providing clear identification of the origin of communications relevant to investigations 86 Item 3 Table in section 187AA —the destination of a communication This category covers identifiers of an account to which a communication is sent An example of such an identifier is the telephone number dialled when making a telephone call The retention of telecommunications data regarding the destination of a communication such as telephone numbers and email addresses is necessary in order to connect a communication of interest to the particular telecommunications service being used to send or receive this communication This information can then assist with determining the subscribers who sent or received relevant communications If providers of telecommunications services did not retain this telecommunications information there is a real risk that agencies would not be able to determine with whom a person has been communicating providing important information on linkages and connections of investigative significance and which are critical to advance inquiries into criminality and security threats 87 Under paragraph 187A 4 b the retention obligation is explicitly expressed to exclude the retention of destination web address identifiers such as destination internet Protocol IP addresses or uniform resource locators URLs This exception is intended to ensure that providers of internet access services are not required to engage in session logging which may otherwise fall within the scope of the destination of a communication 88 Item 4 Table in section 187AA—the date time and duration of a communication This category covers the time at which it occurred and its duration Using this information agencies can link the time of a communication with events associated with the communication This information is also critical to linking a communication to a particular subscriber as the source of a communication can change over time requiring the time of the communication in order to identify its sender 89 The retention of this data category is reasonable proportionate and necessary as it constitutes information that can help inculpate or exculpate an individual associated with a communication and is also valuable in tracing the steps of a missing person who has been using a communications service before or during the time they are missing An agency‘s ability to investigate these matters will be significantly limited if providers of telecommunications services do not retain this information The data covered by this item is also critical because communications may now travel over multiple networks and service providers As such time-calibrated information about a communication needs to be sufficiently precise to enable agencies to develop an accurate picture of a particular communication 90 Item 5 Table in section 187AA—the type of communication This category covers the type of service used including the type of access network or service or application service Data which identifies the type of communication is necessary for understanding what telecommunications service has been used to send the communication 16 91 Item 6 Table in section187AA—the location of equipment or a line used in connection with a communication This category covers information which identifies the location of equipment or a line used in connection with a communication 92 Information on the location of telecommunications equipment can be of significant utility to law enforcement and national security investigations Location information is often retained in records which form a part of a customer‘s billing 93 The potential privacy impacts associated with the retention of information which determines the location of equipment has been minimised in the Bill The Bill provides that two or more communications that together constitute a single communications session such as an internet access session are taken to constitute a single communications session This limitation ensures that communications that may technically be achieved by a series of smaller communications such as a download are treated as a single communication and through that ensuring that location information is limited to that overarching communication rather than its constituent components Further the Bill expressly provides that the obligation to keep location information is limited to location information used by the service provider to provide the relevant service Accordingly the obligation is limited to that required by the networks to effect a communication but cannot extend to other location based information that a provider may hold 94 Location-based data is valuable for identifying the location of a device at the time of a communication providing evidence linking the presence of a device to an event or alternatively providing indications that may exclude a person from further inquiry This data may also be instructive in determining the location of a person who is reporting an emergency or help with precursor steps towards identifying the locality of a missing person who has used a telecommunications device Without this information being retained by service providers agencies‘ abilities to investigate crimes emergencies and missing person matters are substantially limited 95 While service providers typically generate a wide range telecommunications data in the course of providing telecommunications services the Bill further circumscribes the data retention obligation by excluding information that the service provider is required to delete pursuant to a Determination made under section 99 of the Telecommunications Act This ensures that the limitation on the privacy of users of telecommunications services is proportionate to the legitimate outcome sought that being the ability for Australian law enforcement and national security agencies to have the necessary telecommunications data to effectively carry out their investigations and does not operate to require retention of a specific category of subscriber identification information required to be destroyed under specific existing protections 96 Importantly access to all telecommunications data whether or not captured by the terms of the data set is limited to specific purposes Enforcement agencies may only issue authorisations enabling access to data where it is ‗reasonably necessary‘ for a legitimate investigation and must consider the privacy impact of accessing telecommunications data ‗Reasonably necessary‘ is not a low threshold It will not be ‗reasonably necessary‘ to access data if it is merely helpful or expedient 97 The Bill further increases the threshold requirement in section 180F for authorisations to disclose telecommunications data to require that the authorising officer be ‗satisfied on 17 reasonable grounds‘ that a particular disclosure or use of telecommunications data being proposed is proportionate to the intrusion into privacy as opposed to ―having regard to whether any interference with privacy is justifiable‖ The Bill requires the authorising officer to have regard to a number of specified factors including the gravity of the conduct being investigated the reason why the disclosure is proposed to be authorised and the likely relevance and usefulness of the information to the investigation This amendment bolsters privacy safeguards by ensuring agencies weigh the proportionality of the intrusion into privacy against the value of the evidence and the assistance to be provided to the investigation 98 In relation to the Australian Security Intelligence Organisation ASIO ASIO is subject to strict privacy and proportionality obligations under the Attorney-General‘s Guidelines made under paragraph 8 1 a of the Australian Security Intelligence Organisation Act 1979 which relevantly requires that any means used for obtaining information must be proportionate to the gravity of the threat posed and the probability of its occurrence inquiries and investigations into individuals and groups should be undertaken using as little intrusion into individual privacy as is possible consistent with the performance of ASIO's functions and wherever possible the least intrusive techniques of information collection should be used before more intrusive techniques 99 Notably the limited telecommunications data the subject of the data retention obligation is information about a communication—not the content or substance of a communication such as the body and subject line of an email or what you search for online Agencies will continue to require a warrant to access the content of a communication EU Data Retention Directive2 100 In the 2014 judgment of the Court of Justice of the European Union CJEU Digital Rights Ireland Ltd and Ors C-293 12 and Kärntner Landesregierung and Ors C-594 12 8 April 2014 the CJEU observed that legislation on the retention of telecommunications data ‗must lay down clear and precise rules governing the scope and application‘ of the measures in question ‗imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against risk of abuse and against any unlawful access and use of that data‘ at paragraphs 65-69 101 The CJEU accepted that the objective of the EU Data Retention Directive namely to contribute to the fight against terrorism and serious crime and to maintain public security was a legitimate justification for interfering with the right to privacy However the CJEU considered that the extent of interference as set out in the Directive was disproportionate to those ends 102 The CJEU considered that the conditions under which data could be retained should have been more closely defined in the Directive and identified a range of conditions and 2 Judicial consideration of Directive 2006 24 EC of the European Parliament and of the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002 58 EC 2006 O J L 105 54 18 safeguards which were not included in the Directive and which it considered should have been for human rights compatibility In particular the CJEU found that the Directive was not human rights compatible because it did not contain a any restrictions on the types of data retained—the Directive covered all persons all means of electronic communications and all traffic data paragraph 57 b any conditions limiting the categories of data that is retained—for example limitations by geographical location or by link to serious crime paragraph 59 c any objective criteria on access to data and its subsequent use simply referring to ‗serious crime‘ and did not restrict access to the purpose of preventing detecting serious crime paragraph 60 d any requirement of prior review by a court or independent administrative body to determine the necessity of the request for the purposes of preventing or detecting serious crime paragraph 62 e any different retention periods for different types of traffic data or any requirement that the retention period be based on objective criteria paragraph 57 and f sufficient safeguards for the protection of data having regard to the quantity of data retained the sensitive nature of the data and the risk of unlawful access to the data paragraph 66 103 In relation to the scheme in the Bill the types of information that may be prescribed for retention are consistent with those identified in the Directive but the scheme provides clear and specific restrictions on the nature of the data to be retained criteria a The dataset does not apply indiscriminately to all details of electronic communications to the extent that it does not require retention of all traffic data in its various permutations In addition the obligation is explicitly expressed to exclude web-browsing history and to limit location information to that held by a carrier in connection with the provision of the service 104 In relation to criteria c Schedules 2 and 3 introduce provisions to reduce the number of agencies who may access telecommunications data and implement new and comprehensive oversight of access to and usage of this data This is achieved by amendments to the definition of ‗enforcement agency‘ in section 5 of the TIA Act to confine its ambit replacing the existing general descriptors of the types of agencies who may access telecommunications data with a confined list combined with a ministerial declaration scheme to ensure that any additions to the range of agencies is rigorously assessed against their functions need for access to data privacy protections and oversight arrangements and is time limited and providing independent oversight for agency access to telecommunications data through Parliamentary scrutiny and by extending the statutory remit of the Commonwealth Ombudsman to enable the Ombudsman to oversight agency use of and access to telecommunication data 105 These new measures to address the risk of unlawful access to telecommunications data are also supported by the application of existing privacy protection frameworks In relation to criteria d the reduction in the number of agencies capable of accessing data the 19 introduction of a time-limited ministerial declaration scheme and Parliamentary oversight ensure scrutiny of any extension to the agencies that may access telecommunications data In relation to criteria e the measure caps the mandatory retention period of retention at two years The retention period is based on objective factors associated with the descriptive nature and confined classification of the data types which form the dataset The retention period reflects international experience that while the majority of requests for access to telecommunications data are for data that is less than 6 months old certain types of investigations are characterised by a requirement to access to data up to 2 years old These include complex investigations such as terrorism financial crimes and organised criminal activity serious sexual assaults premeditated offences and transnational investigations Against the particular context of the critical importance of telecommunications data in very serious crime types and security threats the two year retention period provides a proportionate response to that environment 106 In relation to criteria f the Bill requires service providers to protect the confidentiality of information retained pursuant to the data retention obligation by encrypting the data and protecting it from unauthorised interference or access The CAC may exempt a provider from this obligation or vary the effect of the obligation in limited circumstances CAC exemption regime 107 Division 3 Part 5-1A of the TIA Act provides a mechanism for the CAC to grant an exemption to a service provider from some or all of the mandatory data retention obligations The scheme operates in a similar way to the existing exemption regime for interception capability under section 192 of the TIA Act 108 Under the data retention exemption scheme a service provider may apply to the CAC for an exemption and the CAC is required to make a decision on the application within a specified period The exemption may also stipulate expiration dates or circumstances whereby the service provider must reapply for an exemption 109 The CAC exemption facility indirectly strengthens the right to privacy of individual customers in that it provides a method of reducing data retention obligations for example in circumstances where the volume of data to be retained is disproportionate to the interests of law enforcement and national security Review of data retention scheme 110 A further important public accountability and transparency measure contained in the Bill is section 187N which provides for a review of the data retention regime commencing two years after the end of the implementation phase This responds to the recommendation in the 2013 PJCIS Report that ‗the effectiveness of the regime be reviewed by the PJCIS three years after its commencement ‘ and the recommendation in the 2015 PJCIS Report that the review commence two years after the conclusion of the implementation period and conclude within three years of the end of the period The data retention scheme will not be fully functional until at least two years after its commencement as industry begins to collect and retain the required data in accordance with the implementation arrangements In addition investigations and prosecutions span many years and they provide the most effective barometer through which the data retention scheme is best empirically assessed 20 Two year retention period 111 Section 187C provides that the data retention period for all classes of data subject to the scheme is two years 112 Law enforcement and national security agencies advise that a data retention period of two years is appropriate to support critical investigative capabilities The two year period draws on international experience in relation to the use and value of telecommunications data and achieves a balance between supporting the operational requirements of agencies and minimising privacy impacts associated with the retention of data The experience under the former EU Data Retention Directive was that while frequently data accessed by agencies was less than six months old there was a higher requirement for data up to two years old for national security and complex criminal offences 113 Data retention beyond the statutory retention period continues to be governed by industry business needs other legislated requirements such as those relating to tax records privacy protection obligations under Part 13 of the Telecommunications Act or the Privacy Act The Bill does not prevent a provider from keeping records for these purposes 114 The PJCIS recommended in its 2015 Report that the two-year retention period contained in the Bill be maintained recommendation 9 The Committee considered that a reduced period ―would risk undermining the efficacy of the scheme as a whole ‖3 Schedule 2—Agency use of preservation notices access to stored communications and access to telecommunications data 115 Access to telecommunications data is regulated by Chapter 4 of the TIA Act which permits an ‗enforcement agency‘ to authorise a carrier to disclose telecommunications data where it is reasonably necessary for the enforcement of the criminal law a law imposing a pecuniary penalty or the protection of the public revenue Lawful access to the telecommunications data is subject to existing safeguards contained in the TIA Act The TIA Act establishes a process of authorisation for access to telecommunications data that requires senior management officers of agencies to authorise access to this data before it is disclosed to the agency The authorisation process requires the authorised officer to consider the need for access to this information on a case-by-case basis in accordance with a prescriptive legal framework There are separate provisions enabling access by ASIO for purposes relevant to security 116 Currently under the TIA Act an enforcement agency is broadly defined as all agencies empowered to intercept telecommunications content as well as bodies whose functions include administering a law imposing a pecuniary penalty or administering a law relating to the protection of the public revenue The range of agencies that are enforcement agencies and which are capable of authorising the disclosure of telecommunications data is broad and includes Commonwealth State Territory and local government agencies as well as non-government or quasi-government bodies that carry out relevant functions 117 The Bill amends the definition of ‗enforcement agency‘ to clearly circumscribe the agencies who may access telecommunications data ensuring that access is limited to those agencies who have a clear and scrutinised need for access to telecommunications data in the 3 Paragraph 4 121 at 146 21 performance of their functions and are subject to appropriate privacy and oversight arrangements 118 Schedule 2 of the Bill engages the right to privacy under Article 17 of the ICCPR on the basis that the telecommunications data retained pursuant to subsection 187A 1 is accessible by agencies in accordance with the existing lawful access provisions The Bill does not lower the statutory threshold under which agencies are able to access telecommunications data Rather it continues to be the case that telecommunications data is only accessible through existing processes for lawfully accessing telecommunications data Moreover the Bill amends the Act to require that the authorised officer be satisfied that any interference with the privacy of a person is justifiable and proportionate having regard to the seriousness of the matter under investigation 119 In order to reinforce the privacy protections associated with a user‘s telecommunications data contained within the TIA Act Schedule 2 of the Bill introduces limitations upon the type of agencies that are permitted to authorise the disclosure of telecommunications data for an agency‘s investigations The Bill also places new limitations on the range of agencies that can access stored communications such as emails and SMSs by further confining the scope of agencies that can apply for stored communications warrants and issue preservation notices under Chapter 3 of the TIA Act 120 The refinements to the definition of enforcement agency coupled with the ministerial declaration models which would govern access ensure that data access arrangements are rigorously scrutinised Consistent with the nature of the powers that are reposed in enforcement agencies under Chapter 4 and their impact on privacy the definition of an enforcement agency appropriately circumscribes the access regime and introduces explicit ministerial and parliamentary scrutiny 121 The Minister may make a time-limited declaration having the effect of including an agency as a criminal law enforcement or enforcement agency The Minister must be satisfied that the authority or body undertakes investigative or public protection responsibilities which would necessitate access to stored communications and telecommunications data respectively The factors the Minister must consider when determining whether to declare an authority or body to be a criminal law-enforcement agency or an enforcement agency include whether the authority or body is required to comply with the Australian Privacy Principles the APPs or complies with a binding scheme that provides comparable protection to the APPs or has agreed in writing to comply with such a scheme if a declaration is made whether the Minister considers that the declaration would be in the public interest 122 The public interest criteria ensures that the Minister gives consideration to matters of community expectation which would include but not be limited to the proper administration of government public health and safety national security and the prevention and detection of crime and fraud 123 The ministerial declaration scheme reinforces the right to privacy in that it ensures that enforcement agency access to telecommunication data is strictly circumscribed and expansion of such access is subject to ministerial scrutiny This provides a critical safeguard and restricts such access to agencies which have satisfied the Minister that they have a 22 genuine and demonstrated need for access to telecommunications data The Minister may of his or her own motion revoke a declaration if he or she is no longer satisfied that the circumstances continue to justify access to telecommunications data The Minister can also impose conditions on access which provides a further ability to restrict and confine access to telecommunications data in a manner consistent with and proportionate to the needs of the agency to be declared in all the circumstances 124 The Bill amends Chapter 3 of the TIA Act to confine and limit those agencies that are able to apply for stored communications warrants and issue preservation notices While the TIA Act currently provides that enforcement agencies are able to apply for these stored communications warrants and issue preservation notices the Bill repeals these provisions and amends the TIA Act to provide that only criminal law-enforcement agencies are able to utilise these investigative powers 125 Criminal law-enforcement agencies are defined in the Bill to include Australian police forces and anti-corruption agencies that currently have the ability to apply for warrants for the interception of telecommunications the Australian Customs and Border Protection Service the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission 126 The Bill provides that the Minister may declare additional agencies to be a criminal law-enforcement agency for a limited period subject to consideration of specified criteria prescribed in the Bill Longer term expansion of the class requires legislative amendment As a corollary of the higher level of intrusion into privacy occasioned by access to stored communications and prospective telecommunications data a higher threshold for an agency to be declared as a criminal law-enforcement agency applies in comparison to the criteria applicable for enforcement agency status Like the declarations for enforcement agencies the Minister must consider whether that access to stored communications information is reasonably likely to assist the authority or body in performing their investigative functions 127 The Bill does not lower the threshold of access to stored communications in Chapter 3 but substantially reduces the number of agencies who may seek to access stored communications by redefining the concept of a criminal law enforcement agency in the TIA Act 128 Collectively the amendments in relation to the range of agencies that may access stored telecommunications or telecommunications data contribute to ensuring that access is reasonable necessary and proportionate The existing frameworks in relation to access to use and disclosure of this lawfully accessed information in the TIA Act as further enhanced by the Bill continue to ensure that any abrogation on the privacy right in Article 17 is limited to the legitimate purposes articulated in the TIA Act Schedule 3—Oversight and accountability provisions 129 Schedule 3 extends the remit of the Ombudsman to enable the Ombudsman to comprehensively assess agency compliance with all of an enforcement agency‘s or a criminal law-enforcement agency‘s obligations under Chapters 3 and 4 of the TIA Act including use and access to telecommunications data Oversight of this category of data would also extend to auditing the use and access to data retained as a result of the data retention obligation 23 130 There is currently no independent oversight for the use of and access to telecommunications data Neither the TIA Act nor the predecessor arrangements in the Telecommunications Act included an independent oversight arrangement in relation to telecommunications data The Bill facilitates Ombudsman oversight of access to and use of telecommunications data 131 The oversight arrangements draw on the model contained in Part 6 of the Surveillance Devices Act 2004 Cth the SD Act and aspects of the oversight role performed by the Commonwealth Ombudsman under Part IAB of the Crimes Act 1914 Cth the Crimes Act The oversight model extends beyond agency record keeping and record destruction obligations and provides a higher level of guidance in terms of the precise obligations imposed on law enforcement agencies The model therefore supports compliance by agencies due to the higher level of precision in compliance obligations greater consistency in reporting methodology by agencies and higher acuity in statistical output to measure compliance for annual reporting and other audit-related purposes 132 Schedule 3 vests the Ombudsman with an over-arching role in assessing agency compliance across powers exercised under both Chapters 3 stored communications and 4 telecommunications data of the TIA Act Currently under the TIA Act the Commonwealth Ombudsman‘s audit functions in relation to stored communications are limited to compliance with an agency‘s record keeping and record destruction obligations The Bill expands the Ombudsman‘s oversight role in a manner consistent with that for oversight of access to telecommunications data 133 Currently the emphasis of the Ombudsman‘s oversight role under Chapters 3 of the TIA Act is on determining agency compliance with record keeping and destruction provisions The enhanced oversight function under Chapter 4A of the Bill enables assessment of an enforcement agency‘s overall compliance with the powers exercisable under Chapters 3 and 4 of the TIA The provisions relating to the powers scope and reporting obligations of the oversight role enable the Ombudsman to provide a level of public accountability as to how agencies have applied their powers under Chapters 3 and 4 134 The oversight model promotes Convention rights by virtue of the following key features holistic oversight of enforcement agency use of and access to telecommunications data beyond agency record keeping and record destruction obligations to ascertaining agencies‘ compliance in exercising their powers under Chapter 3 and Chapter 4 of the TIA Act excluding ASIO which is the subject of separate independent oversight a higher level of specificity and transparency in terms of the precise reporting obligations imposed on law enforcement agencies consistency in inspection methodology by virtue of a non-fragmentary model involving oversight of all agencies that apply the powers under Chapters 3 and 4 and clearly defined reporting obligations that engender o a higher level of compliance by agencies due to a greater level of precision in compliance obligations and 24 o greater acuity in statistical output to measure compliance for annual reporting and cross-agency compliance 135 The Bill promotes the right to privacy by confirming the Ombudsman‘s ability to audit an agency‘s use of its powers to access stored communications and telecommunications data under the TIA Act This helps ensure that an agency‘s access to the telecommunications information of interest to an investigation and the interaction with the privacy right in Article 17 in that regard is a reasonable necessary and proportionate limitation on that right to privacy 136 These measures are consistent in-principle with the 2013 PJCIS Reports recommendation that the Attorney-General‘s Department undertake a review of the oversight arrangements to consider the appropriate organisation or agency to ensure effective accountability under the TIA Act 137 The Ombudsman oversight of the telecommunications data regime recognises that access to telecommunications data by enforcement agencies potentially impacts on the privacy of persons whose data is being accessed It is responsive to privacy and other rightsbased issues raised by the implementation of the data retention regime and the ability for enforcement agencies to access telecommunications data A comprehensive oversight regime for telecommunications data assists in ensuring that use access to or disclosure of telecommunications data by enforcement agencies including retained data for purposes set out in Chapter 4 of the TIA Act is subject to independent compliance assessment It also serves to provide an important level of public accountability and scrutiny of agency practices by virtue of the Ombudsman public reporting regime being implemented in Chapter 4A 138 In summary the measures in Schedules 1 2 and 3 outlined above promote the right to privacy by enhancing privacy protections through for example Parliamentary scrutiny directly linking Privacy Act protections and appropriate oversight by the Privacy Commissioner Right to a fair hearing 139 The Bill engages Article 14 of the ICCPR which guarantees a person be afforded a fair hearing in relation to any suit at law and in the determination of any criminal charge against them the right to a fair trial in the following respects the imposition of civil penalty provisions in relation to a failure to comply with subsections 187A 1 and 187D a subsection 187M the imposition of criminal offence provisions contained in subsections 87 6 182A and 186C 3 the privilege against self-incrimination engaged by subsection 186D 1 and 2 and limitation of the circumstances in which a service provider can disclose data retained under Part 5-1A of the TIA Act in relation to or as a part of civil litigation subsections 280 1B and 281 of the Telecommunications Act Section 187M 140 Section 187M provides that civil penalties may apply where a service provider fails to keep or cause to be kept information or documents as required by the data retention 25 obligation or where a service provider fails to comply with an approved data retention implementation plan in respect of a communication carried by means of that service 141 The effect of this provision is that contraventions of statutory obligations in relation to the data retention regime are dealt with under the enforcement mechanisms specified under the Telecommunications Act Enforcement options available under the Telecommunications Act include remedial directions formal warnings pecuniary penalties and infringement notices 142 The United Nations Human Rights Committee has stated that the notion of criminal charges may ‗also extend to acts that are criminal in nature with sanctions that regardless of their qualification in domestic law must be regarded as penal because of their purpose character or severity‘ see General Comment No 32 para 15 Communication No 1015 2001 Perterer v Austria at para 9 2 As such a penalty or other sanction notwithstanding its nomenclature may be ‗criminal‘ for the purposes of the ICCPR even if it is described as a civil penalty under Australian domestic law It is therefore necessary to consider the substance as well as the form of the civil penalties provided for by the Bill 143 The civil penalty in subsection 187M is not in substance a criminal penalty provision Rather the provision forms part of a regulatory regime which provides for a graduated series of sanctions under the Telecommunications Act including infringement notices and pecuniary penalties It is aimed at an objective which is protective or regulatory the critical objective being to ensure provider compliance with the obligations imposed by the Bill as opposed to being punitive or reparatory in nature 144 The civil penalty provision is designed to ensure a proportionate regulatory response to redress systemic compliance issues as opposed to acts of moral culpability Further no term of imprisonment is provided typical of a criminal penalty provision and the maximum penalty is comparatively lower than would be imposed under counterpart criminal penalty provisions Although it may be regarded as large it is not excessive in that it applies to regulated enforcement agencies and is reasonable and proportionate having regard to the legitimate community interest in enforcing the obligation to retain selected telecommunications data to support its availability to law enforcement and security agencies 145 As the penalty provisions which apply in relation to subsection 187A 1 and paragraph 187D a are properly characterised as civil penalty provisions the criminal process guarantees in Article 14 and 15 do not apply However the equality of arms principles in Article 14 1 is enlivened because this principle applies equally to civil proceedings ‗Equality of arms‘ requires that each party be afforded a reasonable opportunity to present its case under the conditions that do not place it at a substantial disadvantage vis-à-vis another party Brandstetter v Austria Application No 11170 84 12876 87 13468 87 Strasbourg judgment 28 August 1991 §§41-69 ‗Equality of arms‘ essentially denotes equal procedural ability to state the case The right of equal access to a court embodied in Article 14 1 is engaged but not limited by section 187M This is because the imposition of a civil penalty in these circumstances does not derogate from or abridge existing procedural rights of parties to litigation and would not result in actual disadvantage or other unfairness to the defendant That is the provision would not impact upon opportunities to adduce or challenge evidence or present arguments on the matters at issue H v Belgium Application No 8950 80 Strasbourg judgment 30 November 1987 §§49-55 Further the provision in no way impedes 26 parties to a relevant proceeding being given the opportunity to contest all the arguments and evidence adduced Criminal penalty provisions—subsection 186C 3 section 182A and subsection 87 6 146 Subsection 186C 3 makes it a criminal offence to refuse to attend before an inspecting officer to give information or to answer questions where requested by an inspecting officer of the Ombudsman for the purposes of inspections conducted under Chapter 4A The maximum penalty for this offence is 6 months imprisonment 147 Subsection 87 6 similarly makes it a criminal offence for a person to fail to comply with a request to attend to provide information to give information or to answer questions from the Ombudsman under section 87 where the Ombudsman has reason to believe that an officer of an agency is able to give information relevant to an inspection under Chapter 2 Part 2-7 of the TIA Act The maximum penalty for this offence is 6 months imprisonment 148 Both offence provisions mirror existing provisions in the SD Act section 56 and Inspector-General of Intelligence and Security Act 1986 section 18 149 Criminal penalty provisions of this nature engage the criminal process rights under Article 14 of the ICCPR This Article sets out specific guarantees that apply to proceedings involving the determination of ‗criminal charge‘ and to persons who have been convicted of a ‗criminal offence‘ 150 The offence provisions are reasonable and proportionate and do not impermissibly limit the criminal process guarantees under the ICCPR To the extent they engage Article 14 they are unlikely to raise any issues of incompatibility with Article 14 2 of the ICCPR as they involve low penalties and relate to matters that are readily accessible and peculiarly within the defendant‘s knowledge It is reasonable to expect law enforcement officers who access regulated powers to comply with conditions associated with inspection and auditing of the exercise of those powers and to respond to relevant requests for information 4 151 The offence provisions moreover apply only to people who opt-in to the regulatory regime—people are not compelled to become law enforcement officials and officials are not compelled to work in investigations and use the powers and therefore potentially be exposed to penalties of this nature The enforcement agency officers to whom the offences would apply are best placed to make out a valid defence 5 The facts pertaining to any alleged infringement are readily provable by a law enforcement officer as a matter peculiarly within their own knowledge or to which they have ready access 6 That is they are capable of effective rebuttal by an officer of the agency that would be subject to the offence provisions 7 152 It is notable that the offence provisions would apply only to officials of law enforcement agencies Such officials hold positions of great public trust and exercise covert powers under the TIA Act Public confidence in the justice system requires that officials are held to a higher standard of conduct particularly because there are fewer avenues to identify misconduct in relation to powers exercised covertly 4 R v Wholesale Travel Group Inc 1991 3 SCR 154 Attorney-General‘s Reference No 4 of 2002 2005 1 AC 264 see also R v DPP ex parte Kebilene 2000 6 R v Johnstone 2003 UKHL 28 7 Pham Hoang v France 1993 16 EHRR 53 5 27 153 Section 182A makes it an offence for a person to use or disclose information about whether a journalist information warrant has been or is being requested or applied for the making of such warrant the existence or non-existence of such a warrant and the revocation of such a warrant The maximum penalty for this offence is 2 years imprisonment Section 182A is consistent with equivalent offence provisions already in place in relation to other warrants including telecommunications interception warrants and stored communications warrants These provisions create a ―need-to-know‖ within an agency to protect the privacy of the person who is the subject of a TIA Act warrant Subsections 186D 1 and 2 154 Article 14 3 g of the ICCPR protects the right to be free from self-incrimination by providing that a person may not be compelled to testify against him or herself or to confess guilt The right to be free from self-incrimination may be subject to permissible limitations provided that the limitations are for a legitimate objective and are reasonable necessary and proportionate to that objective 155 International jurisprudence suggests that the abrogation of the privilege against self-incrimination is more likely to be permissible where protections relating to the use of the information are included such as a ‗use immunity‘ which prohibits use of the information against the person in subsequent proceedings or a ‗derivative use immunity‘ which additionally prevents other information obtained as a result of the giving of self-incriminating information being used as evidence against the person 156 Subsection 186D 1 abrogates the privilege against self-incrimination as it provides that a person is not excused from giving information under Chapter 4A by reason that compliance would be incriminating However provision is made in subsection 186D 2 for use and derivative use immunities that restrict any direct or indirect use of that information in any subsequent criminal or civil proceedings except by way of a prosecution for an offence against sections 133 181A 181B or 182 or against Part 7 4 or 7 7 of the Criminal Code Subsection 186D 1 157 Subsection 186D 1 provides that a person is not excused from giving information answering a question or giving access to a document disclosing information as required under Chapter 4A oversight by the Commonwealth Ombudsman of the TIA Act despite other matters which may otherwise bar the giving of that information These matters are listed at paragraphs 186D 1 a to c and are that disclosure of the information would be a a contravention of a law b contrary to the public interest or c might tend to incriminate the person or make the person liable to a penalty Privilege against self-incrimination or self-exposure to a civil penalty 158 Paragraph 186D 1 c abrogates the privilege against self-incrimination or selfexposure to a civil penalty referred to hereafter together as ‗self-incrimination‘ in relation to the disclosure of information required under Chapter 4A Subsection 186D 2 provides however that the disclosed information cannot be used as evidence against the person who 28 disclosed that information whether directly or indirectly a ‗use immunity‘ and ‗derivative use‘ immunity The use and derivative use immunities do not apply to prosecutions for offences against sections 133 181A 181B and 182 of the TIA Act or Part 7 4 or 7 7 of the Criminal Code 159 Section 133 of the TIA Act creates an offence of unlawful dealing in accessed stored communications under Chapter 3 Part 3-4 Division 1 of the TIA Act Sections 181A 181 and 182 create offences for unlawful dealing in telecommunications data authorisation information or unlawful secondary disclosure of accessed telecommunications data under Chapter 4 Part 4-1 Division 6 of the TIA Act Parts 7 4 false or misleading statements and Part 7 7 forgery and related offences of the Criminal Code create offences relating to hindering obstructing intimidating or resisting a public official in the performance of their functions 160 The abrogation of the privilege in relation to the specified offences is reasonable and proportionate in the circumstances for the following reasons there are no other appropriate avenues for collecting this information which is peculiarly within a person‘s knowledge and not contained elsewhere in written documentation form for example the motive of a person in acting in a particular way or the public benefit derived from the abrogation of the privilege decisively outweighs the harm to individual rights The harm to individual rights is minimised by the provision of a use and derivative use immunity The limitation of the immunity to exclude listed offences corresponds with the likely focus of an Ombudsman investigation under Chapter 4A and it would frustrate the purpose of Ombudsman oversight if it were not possible for prosecutorial authorities to adduce as evidence material compulsorily obtained by the Ombudsman 161 Further the regime contained in Chapter 4A strengthens oversight and accountability of agency access to stored communications and telecommunications data The offences and their abrogation of relevant privileges provide support for an effective oversight regime 162 The disclosure of information to the Ombudsman and the ability to prosecute a person involved in wrongdoing under the TIA Act forms a core part of the inspection and oversight functions of the Ombudsman This function would be significantly impaired if persons were excused from providing self-incriminating information or if that information could not be used as evidence in TIA Act proceedings Other laws do not prevent the disclosure of information for the purposes of an inspection 163 Subsections 186D 3 and 4 provide that the unlawful disclosure provisions in sections 133 181A 181B or 182 of the TIA Act or in any other law do not prevent the disclosure of information to an inspecting officer of the Ombudsman for the purposes of an inspection under the oversight provisions contained in Chapter 4A 164 The purpose of provisions such as those in sections 133 181A 181B or 182 of the TIA Act is to protect the privacy of impact on persons whose information was accessed under the TIA Act Given the purpose of the oversight regime in ensuring that agencies access this privacy sensitive information in a lawful manner it is appropriate that the requirement to 29 disclose information to the Ombudsman under section 186D overrides other laws that would otherwise prevent the disclosure of that information Retained data and civil litigation –subsections 280 1B and 281 2 3 of the Telecommunications Act 165 Article 14 1 of the ICCPR provides that all persons shall be equal before the courts and tribunals and that in the determination of an individual‘s rights and obligations in a suit at law everyone shall be entitled to a fair and public hearing by a competent independent and impartial tribunal established by law This includes respect for the principle of ‗equality of arms‘ which requires that all parties to a proceeding must have a reasonable opportunity of presenting their case under conditions that do not disadvantage them as against other parties to the proceedings 166 Subsections 280 1B and 281 2 and 3 strictly limit the circumstances in which a service provider may disclose data that has been retained for the purpose of Part 5-1A in relation to or as part of civil litigation This measure engages the right to a fair hearing specifically the principle of equality of arms because it has the potential to affect procedural fairness in terms of the general conduct of the proceedings and the nature and quantum of evidence capable of being adduced by the parties and available for the court‘s deliberative processes 167 Specifically subsections 280 1B and 281 2 and 3 amend sections 280 and 281 of the Telecommunications Act to limit the disclosure of information or documents kept by a service provider solely for the purpose of complying with Part 5-1A of the TIA Act and that is used by the service provider only for that purpose a limited range of public interest purposes which include using or disclosing data in connection with an emergency warning a call to an emergency services number a threat to life situation or the preservation of human life at sea or a purpose incidental to those purposes These items give effect to recommendation 23 of the 2015 PJCIS Report The Committee received evidence of concerns about a possible increase in the frequency and volume of telecommunications data accessed by civil litigants as a result of the implementation of the data retention scheme and the public interest in confining disclosure of and access to telecommunications data to protect the broader privacy interests of the community 168 Subsections 280 1B and 281 2 and 3 engage Article 14 1 to the extent that prohibiting litigants from accessing telecommunications data as an evidentiary source in civil proceedings could potentially reduce the ability of parties to litigation to access a probative source of information relevant to their claim or response This has the propensity to affect their legitimate rights and interests in the conduct of civil litigation and constitute an additional ex ante barrier to mounting or defending a claim 169 However subsections 280 1B and 281 2 and 3 do not offend the equality of arms principle as telecommunications data is not be available as an evidentiary source for either party As such neither litigant is at a procedural disadvantage in terms of access to evidence or resources to formulate their case Precluding parties‘ access to a new source of information does not purport to nor effectively regulate the rules of evidence in courts and tribunals or impact the way in which other sources of evidence are collected or presented by either party The amendments seek to ensure that access to data that is currently available to claimants and 30 respondents is not reduced or limited as the prohibition is limited to data held solely for the purposes of compliance with the new data retention obligation and related purposes 170 Subsections 280 1B and 281 2 and 3 also contain a regulation making power permitting the Minister administering the Telecommunications Act to prescribe exceptions to this prohibition This enables exceptions to be formulated with the benefit of and informed by detailed empirical information about the use and application of telecommunications data in civil proceedings and enables any anticipated practical impediments to the conduct of litigation to be appropriately addressed The prohibition on the disclosure of retained data in connection with civil proceedings does not operate in relation to disclosures prior to the data retention scheme being implemented ensuring the Government has sufficient time to identify and put in place appropriate exceptions 171 In summary none of the fundamental tenets of the right to a fair hearing including the equality of arms principle are removed compromised or reduced by the measure Although the right to a fair hearing is potentially engaged by this measure it is not limited in that it would not undermine or compromise the overall procedural efficacy of civil proceedings The ability of an applicant or plaintiff to present their case or to challenge the case against them is not compromised as the restriction on access to telecommunications data applies equally to both parties As a result this measure does not prevent one party accessing their opponent‘s submissions nor does it compromise procedural equality or generally restrict access to admissible evidence relied on by the other party or adduced in the proceedings The way in which retention of data promotes the right to a fair hearing 172 More broadly the right to a fair hearing is promoted by the data retention measures in the Bill on the basis that telecommunications data is equally capable of providing exculpatory evidence as evidence implicating a person in criminality Accordingly the potential future lack of availability of key telecommunications data in the absence of this measure may prejudice the right to a fair hearing guaranteed by Article 14 of the ICCPR Given its forensic value telecommunication data has important evidentiary value in criminal proceedings The courts have an increasing expectation that such material is equally available to both the prosecution and defence Right to freedom of expression—Article 19 of the ICCPR 173 Article 19 of the ICCPR provides that all persons shall have the right to freedom of expression This right includes the freedom to seek receive and impart information and ideas of all kinds through any media of a person‘s choice It has been interpreted as encompassing every form of subjective ideas and opinions capable of transmission to others and should not be construed as being confined to means of political cultural or artistic expression 8 The means of communication listed in Article 19 2 are not exhaustive and the right to freedom of expression has been interpreted as including means of communication such as the contents of phone conversations 9 Article 19 3 provides that the right to freedom of expression may be subject to restrictions for specified purposes provided in the right including the protection of national security or public order ordre public which includes prevention of disorder and 8 Ballantyne Davidson McIntyre v Canada Human Rights Committee Communications Nos 357 1989 snf 385 1989 at 11 3 9 J R T and the W G Party v Canada Human Rights Committee Communication No 104 1981 8 31 crime where such restrictions are provided by law that is set down in formal legislation or an equivalent unwritten norm of common law and are necessary for attaining one of these purposes 174 The requirement of necessity implies that any restriction must be proportional in severity and intensity to the purpose sought to be achieved Limitations on freedom of expression on the grounds of ordre public include limitations for the purpose of preventing crime In order for the laws to be considered a necessary restriction on freedom of expression on the grounds of ordre public the restriction must be clearly defined 175 The Bill engages the right to freedom of expression in Article 19 to the extent that requiring providers of telecommunications services to retain telecommunications data about the communications of its subscribers or users as part of a mandatory dataset may indirectly limit the right to freedom of expression as some persons may be more reluctant to use telecommunications services to seek receive and impart information if they know that data about their communications is stored and may be subject to lawful access 176 The data retention regime aims to prevent criminal activity by ensuring that law enforcement and intelligence agencies have access to a limited range of vital telecommunications data central to virtually every organised crime counter-espionage cyber-security and counter-terrorism investigation It is also used in almost every serious criminal investigation such as murder rape and kidnapping The provisions in the Bill therefore fall within the scope of a specified purpose for which the freedom of expression may be limited 177 To the extent that the measures in the Bill have the effect of limiting the right to freedom of expression the limitation is designed for the legitimate objective of protecting public order The Bill limits the extent to which the right to freedom of expression is abrogated by ensuring that only the minimum necessary types and amounts of telecommunications data are retained and by limiting the range of agencies that may access telecommunications data 178 The additional safeguards on the access to and use of telecommunications data under the Bill through limiting the number of enforcement agencies able to access data making eligibility of access subject to ministerial declaration and the comprehensive Ombudsman oversight of data access and usage in Chapter 4A together with existing safeguards under the TIA Act including that agencies may only request data where it is reasonably necessary for a legitimate investigation provides assurance that specified data is only retained and used for law enforcement and investigative purposes meaning that any indirect limitation on the right to freedom of expression in Article 19 is appropriately minimised Journalist information warrant regime 179 As outlined above Article 17 of the ICCPR provides that everyone has the right to freedom from unlawful or arbitrary interferences with their privacy the right to privacy Article 19 2 of the ICCPR provides that everyone has the right to freedom of expression including the freedom to seek receive and impart information and ideas of all kinds regardless of frontiers either orally in writing or in print in the form of art or through any other media A journalist‘s right to protect confidential information derives from the right to freedom of expression and is a fundamental tenet of an open and unimpeded press Without such protection sources may be deterred from assisting the press in informing the public on 32 matters of public interest As a result the ability of the press to provide accurate and reliable information may be adversely affected 180 The Bill promotes the right to freedom of expression and the right to privacy in that it provides a higher threshold for the authorisation of disclosures of telecommunications data for the purposes of identifying a journalist‘s source 181 Specifically Division 4C creates a scheme that requires ASIO and enforcement agencies to obtain a warrant prior to authorising the disclosure of telecommunications data to identify a journalist‘s source The effect of the Division is to prohibit enforcement agencies from making historic or prospective data authorisations for access to a journalist‘s or their employer‘s data for the purpose of identifying a confidential source unless a journalist information warrant is in force that authorises the making of such authorisations 182 Agencies are required to obtain a journalist information warrant relating to an investigation into a particular journalist from an independent issuing authority or in the case of ASIO the Minister as a condition precedent to the agency being permitted to authorise the disclosure of telecommunications data by carriers for that investigation Notably the warrant scheme has the same protections safeguards and oversights that apply to agencies when they obtain telecommunications interception warrants The features of the scheme include creating new issuing authorities for the journalist information warrants use and disclosure offences and exceptions for agencies that obtain data relating to journalists and their sources allowing Public Interest Advocates at both the Commonwealth and State and Territory levels to make submissions to warrant issuing authorities statistical reporting by enforcement agencies in the public TIA Act Annual Report and by ASIO in its classified Annual Report and retention of information about the use of these warrants by agencies so that the PJCIS may have access to that information in its long term review of the data retention scheme 183 The Bill promotes the right of journalists to seek and to impart information by introducing specific safeguards to protect the confidentiality of journalists‘ sources These protections include a high threshold for access through ex ante judicial review of a warrant for data authorisation requests ensuring that data access for the purposes of identifying a source receives specific and dedicated independent attention This measure ensures that such access is only permitted in circumstances where the public interest in the issue of the warrant outweighs the public interest in maintaining the confidentiality of the source As a corollary the item also promotes the corresponding right of the public to receive information disseminated by a journalist in such circumstances augmenting the ability of the press to provide information on matters of public interest This item further promotes the right to freedom from arbitrary and unlawful interferences with privacy of the source and the journalist by providing for stronger protections that apply where an agency is seeking to access telecommunications data relating to the journalist or their employer for the purpose of identifying the source 184 Independent oversight through the creation of a warrant scheme approved by a judicial officer or AAT member minimises the potential for deterring sources from actively assisting the press to inform the public on matters of public interest and ensures that the media is not adversely affected by the measure The existence of robust oversight of authorisation requests militates against access to source information occurring in a way which is unduly privacy intrusive Further consistent and routine scrutiny of authorisations by 33 independent issuing authorities further assists in building public trust about how law enforcement and intelligence agencies are using or seeking to use coercive powers Journalists by extension have a greater level of assurance that the confidentiality of their sources will be preserved save where the public interest in identification outweighs the interest in confidentiality 185 The additional protection afforded to these data authorisations complements journalists‘ limited privilege to not be compelled to identify their sources where they have given an undertaking of confidentiality and is responsive to media concerns centring on press freedom and the protection of journalists‘ sources The Court of Justice of the European Union CJEU in assessing the former EU Data Retention Directive observed that ‗ the Directive does not provide for any exception with the result that it applies even to persons whose communications are subject according to rules of national law to the obligation of professional secrecy ‘ Digital Rights Ireland Ltd v Minister for Communications Marine and Natural Resources and others Irish Human Rights Commission intervening In re Kärntner Landesregierung and others Joined Cases C-293 12 and C-594 12 2014 WLR D 164 The amendments add a further warrant threshold providing a significant additional and unique protection in relation to the identification of confidential journalist sources 186 Further the statutory criteria to which issuing authorities must have regard in considering a journalist information warrant application including whether the interest in the disclosure of data outweighs the interest in confidentiality of the source with particular regard to the impacts on individual privacy the gravity of the conduct in relation to which the warrant is sought and the potential investigative utility of the information ensures that privacy and public interest considerations are always taken into account before a journalist information warrant is granted Issuing authorities based on their particular experience and qualifications are well placed to weigh source confidentiality against the operational outcomes sought to be achieved by disclosure Right to life and security of the person—Articles 6 and 9 of the ICCPR 187 The right to security of the person in Article 9 of the ICCPR requires States to provide reasonable and appropriate measures within the scope of those available to public authorities to protect a person‘s physical security 188 The right to life also imposes a positive obligation to protect life in Article 6 of the ICCPR In addition to protecting individuals from unwarranted actions by the State it is necessary for the State to protect individuals from unwarranted actions by private persons The Human Rights Committee has confirmed that protection of the right to life ‗requires that States adopt positive measures‘10 and the positive obligation to protect life in the context of law enforcement is likely to extend beyond putting in place an effective criminal justice system 11 Specifically European jurisprudence has established that the obligation to protect life also requires the police and other protective authorities to take in certain well-defined circumstances preventative operational measures to protect an individual whose life is at risk from the acts of a third party 12 The statutory obligation which the Bill places on service providers to retain a limited subset of telecommunication data which has been determined to 10 Human Rights Committee General Comment No 6 1982 para 5 Osman v United Kingdom 1998 29 EHRR 245 para 115 12 Osman v United Kingdom 1998 29 EHRR 245 see also Kontrová v Slovakia 2007 ECHR 7510 04 31 May 2007 See also Smith v Chief Constable of Sussex Police 2008 EWCA Civ 39 5 February 2008 11 34 be integral for law enforcement and security purposes buttresses the right to life in Article 6 of the ICCPR If such data is not retained and law enforcement investigations are resultantly compromised the ability of police to protect the physical security of potential victims of a crime is critically undermined 189 Access to telecommunications data at the inception of investigations enables agencies to narrow down the field of initial suspects and to identify linkages networks and patterns of criminality It is also the least privacy intrusive methodology to remove alleged suspects from inquiries and to identify criminal networks Access to this data is a key building block for investigations facilitating discovery of and providing context to identities location and point in time and potentially to prevent the commission of further crime The ability of law enforcement officers to harness investigative mechanisms facilitated by data access assists in promoting the welfare and safety of potential and actual victims of serious crimes as well as safeguarding the general public who may otherwise be susceptible to security incidents and criminal acts resulting in the arbitrary deprivation of life Right to an effective remedy – Article 2 3 of the ICCPR 190 Article 2 3 of the ICCPR protects the right to an effective remedy for any violation of rights or freedoms recognised by the ICCPR including the right to have such a remedy determined by competent judicial administrative or legislative authorities or by any other competent authority provided for by the legal system of the State 191 Section 187KA allows the CAC to refer disputes over applications for exemptions from and variations to data retention obligations to the Australian Communications Media Authority the ACMA 192 Section 187KA engages and promotes the right to an effective remedy as it provides service providers with an additional remedial avenue for the resolution of disputes by the ACMA in relation to exemptions or variation decisions made by the CAC 193 The Bill also confers on the ACMA a role to arbitrate disputes in relation to data implementation plans between the CAC and service providers and allows a service provider to apply to the ACMA for a review of CAC decisions about exemptions or variations of retention obligations applicable to their services 194 Providing administrative review of CAC decisions in addition to judicial review13 advances an applicant‘s right to an effective remedy Summary 195 Any interference with Convention rights occasioned by this Bill is in pursuit of a legitimate aim—the ability of law enforcement and intelligence agencies to obtain telecommunications data in order to safeguard national security prevent and detect crime and protect members of the public Access to this telecommunications data is essential for law enforcement and security agencies to effectively investigate a range of criminal offences and threats to national security In the absence of these measures there is a risk that agencies will not receive vital information relevant to these investigations This would limit agencies‘ 13 Judicial review remains available for decisions made under the TIA Act pursuant to paragraph 75 v of the Constitution and s 39B of the Judiciary Act 1901 Cth 35 abilities to fulfil their obligations into preventing detecting and prosecuting offences under Australian law and safeguarding Australia‘s national security Telecommunications data is not the only source of information available to law enforcement and national security agencies however it is a critical investigative tool that agencies use in order to identify and prosecute criminals and protect Australians 196 It is notable that telecommunications data also plays an important role in protecting the privacy of innocent parties who come within the scope of an agency‘s investigation by allowing an agency to rule them out from suspicion at an early stage and without having to resort to more privacy-intrusive investigative methods For example call charge records can show that a potential person of interest has had no contact with other members of a criminal syndicate 197 Telecommunications data is also frequently used to refine and direct the use of more intrusive investigative methods such as telecommunications interception avoiding unnecessary invasion of privacy The ability of law enforcement and national security agencies to use telecommunications data at the early stages of an investigation also displaces the need for agencies to employ more privacy and rights intrusive alternative investigative methods to build a picture of a suspect and their network of criminal associates 198 Under existing provisions under the TIA Act law enforcement and national security agencies can only access telecommunications data in limited circumstances Authorising officers must be satisfied on a case-by-case basis that the disclosure of the information is reasonably necessary and must be satisfied that the interference with privacy is justified and proportionate having regard to the seriousness of the matter under investigation and the likely utility of the information sought 199 Any purported interference with Convention rights resulting from this Bill are in pursuit of a legitimate aim namely the ability of law enforcement and intelligence agencies to access telecommunications data in order to safeguard national security and to prevent detect investigate and prosecute crime The reasonableness of the measures and their proportionality is supported by the specificity of the provisions being appropriately targeted for that legitimate purpose 200 The additional oversight by the Ombudsman contained in Schedule 3 to the Bill and the limitations on the range of agencies who may access telecommunications data which reduce the number and range of agencies able to access this information and subject the nature of their investigative activities and need for data to greater scrutiny are important safeguards that go towards the reasonableness and proportionality of the legislation as a whole Conclusion 201 The Bill is compatible with human rights because it promotes a number of human rights To the extent that it may also limit human rights those limitations are reasonable necessary and proportionate 36 NOTES ON CLAUSES Clause 1—Short title 202 This clause provides that when the Telecommunications Interception and Access Amendment Data Retention Bill 2015 is enacted it is to be cited as the Telecommunications Interception and Access Amendment Data Retention Act 2015 the Act Clause 2—Commencement 203 Clause 2 1 sets out when various provisions of the Act are to commence as described in the table 204 Item 1 in the table provides that sections 1 to 3 which concern the formal aspects of the Act as well as anything not elsewhere covered by the table commence on the day the Act receives the Royal Assent 205 Item 2 in the table provides that Schedule 1 Items 1 to 7 which amend the Telecommunications Interception and Access Act 1979 the TIA Act to introduce a mandatory data retention scheme for telecommunications service providers commence the day after the end of the period of 6 months beginning on the day this Act receives the Royal Assent The reason for the delay in commencement of these Items is to ensure that prior to commencement service providers can put in place implementation arrangements to comply with the data retention regime The delay also ensures that all appropriate instruments required under the Act are in effect 206 Item 3 in the table provides that Schedule 1 Items 8 to 11 commence on the day the Act receives the Royal Assent Items 8 to 11 in Schedule 1 are application provisions that allow service providers to keep documents and to make applications contained in Part 5-1A of the Act before that Part commences These provisions enable implementation plans and exemptions to be in place upon the commencement of the main amendments and allow service providers to begin complying with their data retention obligations 207 Item 4 in the table provides that Schedules 2 and 3 commence the day after the end of the period of 6 months beginning on the day this Act receives the Royal Assent The reason for the delay in commencement of these schedules is to enable agencies and oversight bodies to put in place implementation and necessary transition arrangements prior to commencement of the Act 208 Clause 2 2 allows the date the Act receives the Royal Assent to be inserted into the Act on publication This provision allows specification of the start and end dates for the implementation periods included in Schedules 1 Items 1 to 7 and Schedules 2 and 3 of the Act Clause 3—Schedules 209 Clause 3 provides that each Act specified in a Schedule to this Act amended or repealed as set out in the applicable items in the Schedule Any other item in a Schedule to this Act has effect according to its terms This is a technical provision to give operational effect to the amendments contained in the Schedules 37 SCHEDULE 1—DATA RETENTION PART 1—MAIN AMENDMENTS Overview of measures 210 Part 1 of Schedule 1 inserts Part 5-1A into Chapter 5 of the Telecommunications Interception and Access Act 1979 the TIA Act Chapter 5 deals with the interaction between agencies and carriers 211 This Schedule requires service providers to retain and secure listed telecommunications data 212 The amendments provide for a the obligation to keep and secure information and documents Division 1 b data retention implementation plans Division 2 c exemptions from the data retention requirements Division 3 d the confidentiality of data retention implementation plans and exemptions Division 4 e the Commonwealth to make a grant of financial assistance to service providers Division 4 f pecuniary penalties and infringement notices Division 4 g the Privacy Act to apply in relation to a service provider to the extent the extent of their data retention activities h a review of the operation of the data retention scheme by the Parliamentary Joint Committee on Intelligence and Security the PJCIS to commence no more than two years after the end of the implementation phase Division 4 and i annual reporting on the operation of the data retention scheme Division 4 213 The data retention obligation requires service providers to keep a minimum subset of telecommunications data also known as metadata that is critical to law enforcement and national security investigations and specifies the minimum period for which it must be kept The retention obligation creates a consistent obligation for record-keeping across the telecommunications industry The minimum obligation imposed by this legislation is consistent with the types of data and subscriber information currently held by service providers for billing quality assurance and other business purposes Some service providers may initially need to modify their systems to ensure they meet this minimum standard 214 The requirements on service providers to keep data as provided for by the Division 1 of Part 5-1A ensure the availability of a set of critical data for law enforcement and national security purposes 38 215 Division 2 of Part 5-1A allows service providers to develop and submit implementation plans to the Communications Access Co-ordinator the CAC for approval These plans will set out how the provider will achieve compliance with their data retention and security obligations over a period of up to 18 months 216 The implementation plan process is intended to allow service providers to develop and implement cost-effective solutions to their data retention obligations by for example aligning the implementation of such solutions with a provider‘s internal business planning and investment cycles ensure that service providers achieve substantial compliance with their data retention obligations early in the implementation phase by encouraging interim data retention solutions such as by increasing the storage for existing databases to allow for a longer retention period albeit for a period that is less than 2 years or by implementing full data retention capability for one or more but not all services covered by the plan or for one or more but not all kinds of data prescribed in the regulations facilitate engagement between industry and Government on the above issues and provide regulatory certainty for both industry and agencies during the implementation phase 217 Once approved by the CAC a service provider is required to comply with the implementation plan for a period of up to 18 months instead of the data retention and security obligations under sections 187A and 187C Additionally once approved a plan is only be able to be varied with the consent of both the CAC and the service provider 218 Division 3 of Part 5-1A provides that the CAC may grant exemptions to service providers for any or all of the obligations The CAC is required to consider both the interests of law enforcement and national security agencies and the objects of the Telecommunications Act 1997 when deciding whether to grant an exemption This allows exemptions to be granted where for example telecommunications data relating to the relevant service is likely to be of little or no relevance to law enforcement or national security investigations or where the cost of complying either in full or in part with data retention and security obligations in relation to the relevant service would be disproportionately high 219 Division 4 of Part 5-1A provides that the CAC must treat applications for implementation plans and exemptions as confidential as must any person to whom the CAC discloses such applications Division 4 also provides that the contravention of data retention obligations under Part 5-1A attracts civil penalties Further Division 4 allows the Commonwealth to make a grant of financial assistance to service providers and provides that the Privacy Act applies in relation to a service provider to the extent the extent of their data retention activities Division 4 also requires the Parliamentary Joint Committee on Intelligence and Security the PJCIS to review the operation of the data retention regime within three years of the mandatory data retention scheme being fully implemented and requires the Minister to report annually on the operation of the data retention regime 39 Telecommunications Interception and Access Act 1979 Item 1—Part 5-1A 220 Item 1 inserts Part 5-1A after Part 5-1 of the TIA Act The provisions inserted by this Part contain the requirements for the retention and security of prescribed telecommunications data by telecommunications service providers Division 1 of Part 5-1A—Obligation to keep information and documents Section 187A—Service providers must keep certain information and documents 221 This section provides that service providers must keep and secure certain information and documents Subsection 187A 1 —Information and documents to be kept 222 Telecommunications data is not defined in the TIA Act This approach is consistent with the technology-neutral approach of the Privacy Act and Part 13 of the Telecommunications Act 14 The term is described however through the provisions of Divisions 3 4 and 4A of Chapter 4 of the TIA Act which contain the powers of agencies to make authorisations for the disclosure of information or documents protected under Part 13 of the Telecommunications Act and section 172 of the Act which provides that Divisions 3 4 and 4A do not permit the disclosure of information that is the contents or substance of a communication or a document to the extent that it contains such information As such telecommunications data can be considered to be information about a communication but not its content or substance 223 Data retention obligations do not apply to all telecommunications data 224 The purpose of the data retention obligation is to create a consistent minimum retention obligation across the telecommunications industry in relation to a limited range of telecommunications data that is critical to law enforcement and national security investigations Data retention and security obligations apply to specified information or documents containing such information relating to a service operated by the service provider for the period specified under section 187C The limited subset of telecommunications data to which the obligations apply is specified by section 187AA Subsection 187A 3 describes the services to which data retention obligations apply 225 The detailed technologically-neutral table in subsection 187AA 1 is designed to ensure that the legislative framework gives service providers sufficient technical detail about their data retention obligations while remaining flexible enough to adapt to future changes in communication technology 14 Australian Law Reform Commission For Your Information Australian Privacy Law and Practice Report No 108 2008 73 33 40 Subsection 187A 3 —Application of Part 5-1A to certain services 226 Subsection 187A 3 sets out the services to which the data retention obligations under Part 5-1A of the Act apply Data retention obligations only apply to services that satisfy paragraphs 187A 3 a b and c 227 Paragraph 187A 3 a provides that the Part applies to a service if it is a service for carrying communications or that enable communications to be carried by guided or unguided electromagnetic energy or both Section 5 of the TIA Act defines the term ‗carry‘ for the purposes of the TIA Act The term is defined in the same manner as in the Telecommunications Act but should be interpreted in light of the objective of the TIA Act to allow for lawful access to communications in relation to law enforcement and national security investigations The concept of ‗enabling‘ a communication to be carried is intended to put beyond doubt that data retention obligations apply to relevant services that operate ‗over the top‘ of or in conjunction with other services that carry communications 228 Paragraph 187A 3 b provides that the Part applies to a service if it is a operated by a carrier within the meaning of the TIA Act b operated by an internet service provider within the meaning of Schedule 5 of the Broadcasting Services Act 1992 or c of a kind declared by the Minister 229 A service is ‗operated by‘ a carrier or an internet service provider even if a the service itself would not require a carrier licence or the service is not a ‗carriage service‘ within the meaning of the Telecommunications Act for example if a licenced carrier operates an email service that service is still operated by the carrier notwithstanding that to provide an email service does not require a licence or b in the case of an internet service provider the service itself is not an ‗internet access service‘ within the meaning of Schedule 5 of the Broadcasting Services Act 1992 for example if an internet service provider operates a VoIP service that service is still operated by the internet service provider notwithstanding that a VoIP service is not itself an internet access service 230 Paragraph 187A 3 c provides that Part 5-1A applies to a service if the person operating the service owns or operates in Australia infrastructure that facilitates or relates to the provision of any of its services of a kind referred to in paragraph a Item 5 of the Bill defines infrastructure as any line or equipment used to facilitate telecommunications across a telecommunications network The intention of paragraph 187A 3 c is that the data retention obligation applies to a service if the person operating the service owns or operates infrastructure in Australia relating to any of its services irrespective of whether the person owns or operates infrastructure in Australia relating to the particular service in question 231 Data retention obligations do not however apply to a broadcasting service within the meaning of the Broadcasting Services Act 1992 The definition of a ‗telecommunications service‘ in section 5 of the TIA Act currently excludes a service for carrying communications 41 solely by means of radiocommunication This exclusion is appropriate for the purposes of prohibiting and regulating the lawful interception of telecommunications where it is appropriate to consider the end-to-end passage of a communication across a telecommunications system as defined in section 5 of the TIA Act Data retention obligations by comparison expressly relate to such parts of a telecommunications service or system as are operated by a given service provider and which may therefore involve a service for carrying communication solely by means of radiocommunication As such subsection 187A 3 does not incorporate the radiocommunications exception but excludes broadcasting services Subsection 187A 3A - 3C — Declaration of additional classes of service providers 232 The telecommunications industry is highly innovative and increasingly converged Sophisticated criminals and persons engaged in activities prejudicial to security are frequently early adopters of communications technologies that they perceive will assist them to evade lawful investigations As such a declaration is required to ensure the data retention regime is able to remain up-to-date with rapidly changes to communications technologies business practices and law enforcement and national security threat environments 233 Subsection 187A 3A provides the Minister with a power to declare a service to be within the data retention scheme 234 Subsection 187A 3B provides that a declaration under subsection 187A 3A ceases to be in force after 40 sitting days of either House of Parliament after the declaration comes into force However such a declaration may be expressed to enter into force either when it is made or at some later date The time to expiry of the declaration only commences once the declaration comes into force 235 Subsection 187A 3C provides that where a Bill is introduced into the Parliament to amend the classes of service providers to which data retention obligations apply i e where a Bill is introduced that would permanently list an additional class of service provider on the face of the TIA Act the Bill must be referred to the PJCIS for inquiry Subsection 187A 3C requires the PJCIS to be given a minimum of 15 sitting days of a House of the Parliament for review and report on the bill These subsections give effect to recommendation 14 of the 2015 PJCIS Report Subsection 187A 4 — Information not required to be kept 236 Paragraph 187A 4 a provides that service providers are not required to keep information or documents that are the contents or substance of a communication such as the words spoken during a phone call or an email subject line This paragraph gives effect to the relevant part of recommendation 42 of the 2013 PJCIS Report that any mandatory data retention regime should apply only to telecommunications data and exclude content The paragraph explicitly states that the obligation to keep information does not require a carrier to retain content 237 Paragraph 187A 4 a does not preclude carriers from retaining the content or substance of a communication for other lawful purposes such as their lawful business purposes For example a service provider that provides an email service may keep the content of emails on a server as a necessary part of providing that service 42 238 Section 172 of the TIA Act currently prohibits ASIO or enforcement agencies from authorising the disclosure of the substance or content of a communication under a data authorisation made under Chapter 4 of the TIA Act Agencies may only access the substance or content of a communication under a warrant or in limited other circumstances such as in a life-threatening emergency 239 Paragraph 187A 4 b provides that service providers are not required to retain information or documents that state an address to which a communication was sent on the internet from a telecommunications device using an internet access service provided by the service provider and that was obtained by the carrier only as a result of providing a service for internet access 240 This provision gives effect to the relevant part of recommendation 42 of the 2013 PJCIS Report that internet browsing data should be explicitly excluded from the scope of any mandatory data retention regime This provision goes further than the 2013 PJCIS Report recommended by ensuring that service providers are not required to keep records of the uniform resource locators URLs internet protocol IP addresses port numbers and other internet identifiers with which a person has communicated via an internet access service provided by the service provider The provision is required because a URL is in some cases telecommunications data rather than content 241 Paragraph 187A 4 b only applies however to internet address identifiers obtained by a carrier solely as the result of providing an internet access service If the service provider obtains a destination internet address identifier as the result of providing another service the provider is required to keep a record of that identifier For example an email service provider is required to keep records of the destination internet address identifiers associated with the use of an email service such as the email and IP address and port number to which an email was sent Similarly if a service provider that provides an internet access service to a subscriber also provides a Voice over the Internet Protocol VoIP service to that subscriber the service provider is required to keep records of any destination internet address identifiers associated with the use of that VoIP service This could include the internet protocol IP address to which a VoIP call was sent In this example however the service provider is not required to keep records of any other destination internet address identifiers associated with web browsing 242 Paragraph 187A 4 b operates to exclude information of a certain character from retention obligations—being information an internet access service provider has about destinations on the internet that the provider only has because it provides that service While internet access services are used to both send and receive information received information is still of the above character and excluded by the paragraph However this paragraph does not exclude any provider from retaining information about the identifiers it assigns on a permanent or transient basis to an account device or relevant service such as network address translation NAT information Such information can be required to be retained by Item 1 d or Item 2 or both of the table in 187AA 243 Paragraph 187A 4 c provides that a service provider is not required to keep or cause to be kept information to the extent that it relates to a communication that is being carried by means of another service that is of a kind referred to in paragraph 187A 3 a and that is operated by another person using the relevant service operated by the service provider Furthermore a service provider is not required to keep or cause to be kept a document to the 43 extent that it contains such information This item seeks to ensure that service providers are only required to retain telecommunications data to the extent that such information is available to that service provider 244 The note at the end of paragraph 187A 4 c puts beyond doubt that service providers are not required to keep information or documents about communications that are carried or enabled by means of services that they themselves do not provide that pass ‗over the top‘ of the underlying service they provide This item implements recommendation 6 of the 2015 PJCIS Report 245 Paragraph 187A 4 d provides that the requirements to keep data under section 187A do not apply to information that a service provider is required to delete because of a determination made under section 99 of the Telecommunications Act An example of such a determination is the Telecommunications Service Provider—Identity Checks for Pre-paid Public Mobile Carriage Services Determination 2013 246 Paragraph 187A 4 e provides that a service provider is not required to keep information about the location of a telecommunications device that is not information used by the service provider in relation to the relevant service to which the device is connected This could include for example a record of which cell tower base station or other network access point a device was connected to This provision ensures that service providers are not required to generate and keep location records that are more detailed than or different to the location records used in relation to the relevant service Subsection 187A 5 —Attempted and untariffed communications 247 Paragraph 187A 5 a prescribes the circumstances in which an attempt to send a communication is taken to be the sending of a communication which would trigger data retention obligations under subsection 187A 1 These circumstances include for example where a a phone number is dialled but the phone rings and is unanswered or rings out subparagraph 187A 5 a i b an email server attempts to send a new email to an email client but the client email server does not exist or is not working subparagraph 187A 5 a ii or c a mobile phone number is dialled but the destination mobile phone is switched off and so is not recorded on the network‘s Visitor Location Register as such the network does not attempt to connect the phone call and instead informs the caller that the phone is switched off or unavailable subparagraph 187A 5 a iii 248 Paragraph 187A 5 b clarifies that untariffed communications such as 1800 phone calls communications sent using ‗unlimited‘ phone or internet plans or free internet or application services are communications for data retention purposes and thus may be the subject of data retention obligations 44 Subsection 187A 6 —Service providers must create information or a document if not already created by the operation of the relevant service 249 Subsection 187A 6 clarifies that if the information or documents that service providers are required to keep under subsection 187A 1 are not created by the operation of the relevant service or if they are only created in a transient fashion then the service provider is required to use other means to create this information or document 250 Mandatory data retention is the creation of a consistent minimum standard across the telecommunications industry for what data is to be collected and how long it is to be retained Subsection 187A 6 ensures that all service providers must meet this minimum standard whether or not that data is currently being collected or retained by the relevant service provider Section 187AA—Information to be kept 251 This section lists the information or documents that service providers must retain and secure in order to comply with obligations The effect is to prescribe the data set in primary legislation implementing recommendation 2 of the 2015 PJCIS Report 252 The table below sets out explanatory material relating to each of the categories of information or documents that service providers must retain for the purposes of this section along with a description of the information that may be included within each kind of information and an accompanying explanation This table is not exhaustive of the information that may be included within each kind of information listed in subsection 187AA 1 45 Information or documents to be kept Item 1 Topic Description of information Column 1 The subscriber of and accounts services telecommunications devices and other relevant services relating to the relevant service Column 2 The following a any information that is one or both of the following i any name or address information ii any other information for identification purposes relating to the relevant service being information used by the service provider for the purposes of identifying the subscriber of the relevant service b any information relating to any contract agreement or arrangement relating to the relevant account service or device c any information that is one or both of the following i billing or payment information ii contact information relating to the relevant service being information used by the service provider in relation to the relevant service d any identifiers relating to the relevant service or any related account service or device being information used by the service provider in relation to the relevant service or any related account service or device e the status of the relevant service or any related account service or device Explanation This category includes customer identifying details such as name and address It also includes contact details such as phone number and email address This information allows agencies to confirm a subscriber‘s identity or link a service or account to a subscriber This category also includes details about services attached to account such as the unique identifying number attached to a mobile phone or the IP address or addresses allocated to an internet access account or service This category further includes billing and payment information Information about the status of a service can include when an account has been enabled or suspended a relevant service has been enabled or suspended or is currently roaming or a telecommunications device has been stolen The phrases ‗any information‘ and ‗any identifiers‘ should be read to mean the information that the provider obtains or generates that meets the description which follows that phrase If the provider has no information that meets the description including because that kind of information does not pertain to the service in question no information needs to be retained For instance if a provider offers a free service and therefore has no billing information no billing information needs to be retained by that provider with respect to that service the provider will need to retain subscriber and transactional data with respect to that service but no billing information needs to be retained Service providers are not required to collect and retain passwords PINs secret questions or token codes which are used for authentication purposes 46 Information or documents to be kept Item 2 Topic Description of information Column 1 The source of a communication Column 2 Identifiers of a related account service or device from which a communication has been sent or attempted to be sent by means of the relevant service Explanation Identifiers for the source of a communication may include but are not limited to the phone number IMSI IMEI from which a call or SMS was made identifying details such as username address number of the account service or device from which a text voice or multi-media communication was made examples include email Voice over IP VoIP instant message or video communication the IP address and port number allocated to the subscriber or device connected to the internet at the time of the communication or any other service or device identifier known to the provider that uniquely identifies the source of the communication In all instances the identifiers retained to identify the source of the communication are the ones relevant to or used in the operation of the particular service in question 47 Information or documents to be kept Item 3 Topic Description of information Column 1 The destination of a communication Column 2 Identifiers of the account telecommunications device or relevant service to which the communication a has been sent or b has been forwarded routed or transferred or attempted to be forwarded routed or transferred Explanation Paragraph 187A 4 b puts beyond doubt that service providers are not required to keep information about subscribers‘ web browsing history The destination of a communication is the recipient Identifiers for the destination of a communication may include but are not limited to the phone number that received a call or SMS identifying details such as username address or number of the account service or device which receives a text voice or multi-media communication examples include email VoIP instant message or video communication the IP address allocated to a subscriber or device connected to the internet at the time of receipt of the communication or any other service or device identifier known to the provider that uniquely identifies the destination of the communication For internet access services the Bill explicitly excludes anything that is webbrowsing history or could amount to webbrowsing history such as a URL or IP address to which a subscriber has browsed In all instances the identifiers retained to identify the destination of the communications are the ones relevant to or used in the operation of the particular service in question If the ultimate destination of a communication is not feasibly available to the provider of the service the provider must retain only the last destination knowable to the provider 48 Information or documents to be kept Item 4 5 Topic Description of information Column 1 The date time and duration of a communication or of its connection to a relevant service Column 2 The date and time including the time zone of the following relating to the communication with sufficient accuracy to identify the communication a the start of the communication b the end of the communication c the connection to the relevant service and d the disconnection from the relevant service The type of a communication and relevant service used in connection with a communication The following a the type of communication Examples Voice SMS email chat forum social media b the type of the relevant service Examples ADSL Wi-Fi VoIP cable GPRS VoLTE LTE c the features of the relevant service that were or would have been used by or enable for the communication Examples call waiting call forwarding data volume usage Explanation For phone calls this is simply the time a call started and ended For internet sessions this is when a device or account connects to a data network and ends when it disconnected – those events may be a few hours to several days weeks or longer apart depending on the design and operation of the service in question The type of communication means the form of the communication for example voice call vs internet usage The type of the relevant service 5 b provides more technical detail about the service For example for a mobile messaging service whether it is an SMS or MMS Data volume usage applicable to internet access services refers to the amount of data uploaded and downloaded by the subscriber This information can be measured for each session or in a way applicable to the operation and billing of the service in question such as per day or per month Note This item will only apply to the service provider operating the relevant service see paragraph 187A 4 c 49 Information or documents to be kept Item 6 Topic Description of information Column 1 the location of equipment or a line used in connection with a communication Column 2 The following in relation to the equipment or line used to send or receive the communication a the location of the equipment or line at the start of the communication b the location of the equipment or line at the end of the communication Examples Cell towers WiFi hotspots Explanation Location records are limited to the location of a device at the start and end of a communication such as a phone call or Short Message Service SMS message For services provided to a fixed location such as an ADSL service this requirement can be met with the retention of the subscriber‘s address Paragraph 187A 4 e of the Bill provides that location records are limited to information that is used by a service provider in relation to the relevant service This would include information such as which cell tower Wi-Fi hotspot or base station a device was connected to at the start and end of communication Service providers are not required to keep continuous real-time or precise location records such as the continuous GPS location of a device These limitations seek to ensure that the locations records to be kept by service providers do not allow continuous monitoring or tracking of devices 253 Subsections 187AA 2 - 5 implement Recommendation 3 of the 2015 PJCIS Report 254 Subsection 187AA 2 permits the Minister to amend the dataset on a temporary basis by issuing a declaration Subsection 187AA 2 is subject to subsections 187AA 3 - 4 which set out when such a declaration is in force and the Minister‘s powers in relation to the declarations This is designed to cover a situation in which future technologies or changing telecommunications practices require amendments to the data set to ensure the data retention scheme continues to meet its underlying purpose 255 Paragraph 187AA 3 a provides that the declaration comes into force either when it is made or on a later day specified in the declaration Paragraph 187AA 3 b provides that the declaration ceases to be in force after 40 sitting days of either House of Parliament after the declaration comes into force The time to expiry of the declaration only commences once the declaration comes into force which may be later than when it is made 256 Subsection 187AA 4 requires that when a bill is introduced into either House of Parliament to permanently amend the data set or any of the limitations on the data set In those circumstances the Minister must refer the amendment to the PJCIS and give the PJCIS at least 15 sitting days of a House of Parliament to conduct its review and issue its report 50 257 Subsection 187AA 5 provides that in relation to the telecommunications data required to be retained in items 2 3 4 and 6 in the dataset in subsection 187AA 1 two or more communications that together constitute a single communications session are taken to be a single communication 258 Subsection 187AA 5 ensures that providers are not required to record the source destination time date and duration of a communication or the location of a device throughout a communications session For example a smartphone connected to a mobile data network may have multiple applications running in the background each of which may routinely communicate with remote servers such as to seek and obtain updates As such the smartphone may send and receive a near-continuous stream of communications However these communications may together constitute a single communications session Absent this provision providers could for example be required to record the location of the device on a near-continuous basis The effect of the provision is that providers of mobile internet access services are only required to record prescribed location information for the overall communication rather than its constituent components 259 Whether a series of communications constitutes a single communications session is a question of technical fact and depends on the objective operation of the provider‘s network or service This question should not be determined from the user‘s perspective as the provider subject to data retention obligations is generally unable to assess a user‘s intentions in this regard and in many cases users are unlikely to be aware of when their device is communicating such as when applications installed on a smartphone or computer automatically seek and receive updates Section 187B—Certain service providers not covered by this Part 260 Section 187B excludes certain service providers from being required to comply with data retention obligations under subsection 187A 1 of the TIA Act The purpose of section 187B is to ensure that entities such as governments universities and corporations are not required to retain telecommunications data in relation to their own internal networks provided these services are not offered to the general public and that providers of communications services in a single place such as free Wi-Fi access in cafes and restaurants are not required to retain telecommunications data in relation to those services However the CAC can declare that data from such services must nevertheless be retained 261 Subparagraph 187B 1 a i provides that data retention obligations do not apply if the service is provided only to a person‘s ‗immediate circle‘ within the meaning given by section 23 of the Telecommunications Act This definition includes amongst other things persons in corporate networks government networks and tertiary institutions Such networks are excluded from data retention obligations if the carriage services as defined in the Telecommunications Act associated with them are not available to the general public 262 Subparagraph 187B 1 a ii provides that data retention obligations do not apply if the service is provided only to places that are all in the same area as defined in section 36 of the Telecommunications Act Section 36 of the Telecommunications Act describes a range of circumstances in which places are considered to be all in the same area Generally speaking the concept of ‗same area‘ includes amongst other things places such as university campuses cafes or restaurants 51 263 Paragraph 187B 1 b qualifies the exemptions in paragraph 187B 1 a by providing that the CAC can make a declaration under subsection 187A 2 that data must nevertheless be retained in relation to the relevant services 264 Subsection 187B 2 provides that the CAC can declare that the provider of an ‗immediate circle‘ or ‗same area‘ service as defined in subsection 187B 1 is nevertheless required to retain telecommunications data in relation to the relevant services according to the requirements of subsection 187A 1 265 Subsection 187B 2A enables the Communications Access Co-ordinator the CAC to consult the Privacy Commissioner before making a declaration that data retention obligations apply to an otherwise exempt relevant service This item implements recommendation 13 of the 2015 PJCIS Report by enabling the CAC to consult with the Privacy Commissioner 266 The paragraphs implement recommendation 13 of the 2015 PJCIS Report by requiring the CAC to consider the objects of the Privacy Act when considering whether to make a declaration under subsection 187B 2 that the data retention obligation applies to an otherwise exempt relevant service 267 Subsection 187B 3 provides that in making a declaration under subsection 187B 2 the CAC must have regard to the interests of law enforcement and national security the objects of the Telecommunications Act and the objects of the Privacy Act 1988 the Privacy Act and any submissions made by the Privacy Commissioner as a result of consultations under subsection 187B 2A when considering whether to make a declaration The main but not the only objects of the Telecommunications Act are set out in section 3 1 of that Act and are to provide a regulatory framework that promotes a the long-term interests of end-users of carriage services or of services provided by means of carriage services b the efficiency and international competitiveness of the Australian telecommunications industry and c the availability of accessible and affordable carriage services that enhance the welfare of Australians 268 Subsection 187B 4 provides that the CAC‘s declaration must be in writing 269 Subsection 187B 5 provides that a declaration made by the CAC under this section is not a legislative instrument Subsection 187B 5 is included to assist readers as a declaration made by the CAC under this section is not a legislative instrument within the meaning of section 5 of the Legislative Instruments Act 2003 270 Subsections 187B 6 and 7 require the CAC to give written notice of a declaration to the Minister under subsection 6 who must in turn give the written notice to the PJCIS under subsection 7 as soon as practicable These subsections implement recommendation 13 of the 2015 PJCIS Report Section 187BA—Ensuring the confidentiality of information 271 Section 187BA gives effect to recommendation 37 of the 2015 PJCIS Report by supplementing the obligations of service providers under Australian Privacy Principle APP 11 1 to ‗take such steps as are reasonable in the circumstances to protect the information from 52 misuse interference and loss and from unauthorised access modification or disclosure ‘ Section 187LA provides that the Privacy Act applies to all service providers to the extent that the service provider‘s activities relate to retained data Further section 187LA provides that information and documents kept by a service provider in complying with Part 5-1A are personal information within the meaning of the Privacy Act and so must be protected in accordance with APP 11 1 This item also supplements the obligations of carriage service providers under clause 4 6 3 of the Telecommunications Consumer Protection Code C628 2012 to ‗have robust procedures to keep its Customers‘ Personal Information in its possession secure and restrict access to personnel who are authorised by the Supplier ‘ 272 This section requires service providers to protect the confidentiality of information or documents kept in accordance with section 187A Service providers are required to protect these records in two ways by encrypting the information and by protecting the information from unauthorised interference or unauthorised access 273 This section does not prescribe a particular type of encryption the decision about how to implement the encryption required by this item will be a matter for the service provider to determine in light of all the circumstances including in particular the technical configuration of the system or systems used to keep information required to be retained under section 187A and whether a particular method or set of methods of encryption will be adequate to protect the confidentiality of that information 274 Where a service provider encrypts retained data the service provider must retain the technical capability to decrypt and disclose relevant retained data in a useable form in accordance with a lawful request or requirement under the TIA Act or Telecommunications Act 275 Under Division 2 of Part 5-1A a service provider may seek approval of a data retention implementation plan that replaces the service provider‘s obligations under section 187BA while the plan is in force Additionally under Division 3 of Part 5-1A a service provider may apply for and receive an exemption from or variation to the service provider‘s obligations under section 187BA An example of a situation in which such an exemption or variation might be appropriate would be where the cost of encrypting a legacy system that was not designed to be encrypted would be unduly onerous and the service provider has identified alternative information security measures that could be implemented However an exemption would not normally be appropriate where fulfilling the data protection obligations would be merely inconvenient Section 187C—Period for keeping information and documents 276 Section 187C sets out the required period for service providers to retain specified telecommunications data A retention requirement of two years is necessary having regard to the requirements of national security and law enforcement agencies to have telecommunications data available for investigations It is also consistent with privacy expectations and the privacy of users of the Australian telecommunications system The experience under the former European data retention scheme was that while frequently data accessed by agencies was less than six months old for national security and serious criminal offences data up to two years old would often be required for the most complex investigations into crimes and threats to national security that can have the most damaging effect 53 277 However the retention period in section 187C is subject to an exemptions regime in Division 3 of Part 5-1A In particular paragraph 187K 1 c allows the CAC to reduce the required retention period In addition data retention implementation plans that a service provider may provide under Division 2 of Part 5-1A of the TIA Act may also be relevant to the period for which a service provider must retain relevant data It is possible for a data retention implementation plan to specify a retention period for a service offered by a service provider of less than two years in relation to services under the plan while the plan is in force 278 Paragraph 187C 1 a sets out the required period for retention of subscriber telecommunications data Subscriber telecommunications data is the documents or information of the kind described in paragraph a or b in column 2 of item 1 of the table in subsection 187AA 1 For basic subscriber data a service provider must retain the data from when it was created until two years after the closure of the relevant account Records relating to the use of an account such as call-charge records are significantly less useful if they cannot be associated with a real-world subscriber Subscriber records are typically generated when an account or service is opened and may not be updated for many years The purpose of this provision is to ensure that subscriber records associated with an account are available throughout the life of the account and for as long as records relating to communications sent using that account are retained This is intended to ensure that the necessary information is available to establish a connection between a particular communication and the subscriber 279 This provision is subject to subsection 187C 2 which permits the Governor-General to prescribe in regulations that the retention period for certain information of a kind described in paragraph a or b in column 2 of item 1 of the table in subsection 187AA 1 is the period starting when it came into existence and ending two years after the information came into existence 280 Paragraph 187C 1 b sets out the retention period for all types of data that is required to be retained other than subscriber data In general terms this applies to telecommunications traffic data Specifically it means the information or documents referred to in subsection 187AA 1 other than paragraph c or b in column 2 of item 1 As the provision provides the required retention period for this data is from when that data came into existence until two years after it came into existence 281 Subsection 187C 3 provides that a service provider is not prevented by the provisions of section 187C from keeping telecommunications data for longer periods that those set down in section 187C This means for example that service providers are not prevented by section 187C from retaining telecommunications data for longer than two years for their own lawful business purposes Likewise the scheme does not intend to regulate the de-identification and destruction of data once the retention period has expired However other laws regulations may mandate how providers handle the retained data once the retention period has expired 282 For instance the Australian Privacy Principles APPs as set out in Schedule 1 of the Privacy Act 1988 the Privacy Act still applies to service providers covered by the Privacy Act and their dealings with the telecommunications data that is personal information and that is required to be retained under the Part 5-1A of the TIA Act For instance APP 11 2 requires entities to take reasonable steps to destroy personal information or to ensure that the information is de-identified where the entity no longer needs the information for a reason set out in the APPs Where the required retention period for telecommunications data under the 54 Part 5-1A of the TIA Act expires entities may be required to destroy or de-identify such information if it constitutes personal information 283 However as APP 11 2 d provides an entity is only required to destroy or de-identify personal information where ‗the entity is not required by or under an Australian law… to retain the information‘ The data retention requirements set out in Part 5-1A of the TIA Act constitute such a law requiring retention of the relevant information during the specified period Division 2 of Part 5-1A—Data Retention Implementation Plans 284 Division 2 of Part 5-1A of the TIA Act supports the development of data retention implementation plans Data retention implementation plans are intended to be plans that allow the telecommunications industry to design a pathway to full compliance with their telecommunications data retention and security obligations within 18 months of the commencement of those obligations while also allowing for interim measures that result in improved data retention practices 285 Data retention implementation plans complement the availability of exemptions under Division 3 of Part 5-1A For example a service provider is able to seek an exemption for some of its services under Division 3 while at the same time submit an implementation plan for some or all of its other services under Division 2 Section 187D—Effect of data retention implementation plans 286 Section 187D sets out the effect of data retention implementation plans While a plan is in force in relation to a relevant service offered by the service provider the service provider must comply with the plan in relation to that service in lieu of the obligations that would otherwise apply under sections 187A 187BA and 187C Section 187E—Applying for approval of data retention implementation plans 287 Section 187E sets out the process for service providers to apply for approval of data retention implementation plans Submission of implementation plans by service providers is voluntary However in the absence of an implementation plan service providers are required to comply with the data retention and security obligations immediately on their commencement 288 Subsection 187E 1 provides that a service provider can apply to the CAC for approval of an implementation plan in relation to one or more services that it offers The application provisions contained in Part 3 permits applications to be lodged considered and approved from the date of Royal Assent A service provider is not obliged to submit an implementation plan for all of its services 289 Subsection 187E 2 sets out the matters a service provider‘s implementation plan must include The purpose of subsection 187E 2 is to ensure that a service provider‘s implementation plan gives sufficient information for the CAC and any other person considering the plan to make an informed decision on the plan 290 Paragraph 187E 2 a provides that a service provider‘s implementation plan is required in relation to each relevant service to include an explanation of the current relevant 55 data retention and information security practices of the service provider In particular paragraph 187E 2 a requires that the plan explain what practices the service provider has in relation to the information or documents it would otherwise have had to retain under section 187A had the implementation plan not been in force This ensures that the CAC has sufficient knowledge of existing practices to ascertain the changes to its practices the service provider will have to undertake to meet its obligations 291 Paragraph 187E 2 b requires that an implementation plan include details of the interim arrangements if any that a service provider proposes to implement prior to achieving full compliance Examples of interim arrangements that a service provider could propose include collection on only part of the data set normally required to be kept under subsection 187A 1 or retention of such data for less than two years A service provider can propose more than one interim arrangement over the life of the implementation plan for any particular relevant service 292 Paragraph 187E 2 c specifies that a service provider‘s implementation plan is required in relation to each relevant service to specify when the service provider will comply with its data retention obligations under section 187A including the required time period for retaining relevant information or documents under section 187C and the security requirements in section 187BA However as stated in paragraph 187E 2 c a service provider will not be required to provide this information in its plan to the extent that it has obtained relevant exemptions from its data retention obligations from the CAC under Division 3 of Part 5-1A of the TIA Act 293 Subsection 187E 3 clarifies that a service provider is not able to nominate a date in its implementation plan for compliance with its data retention obligations that is later than the relevant date provided in section 187H regarding when implementation plans are in force Under subparagraph 187H b i for telecommunications services that the service provider was already operating when Part 5-1A of the TIA Act commenced the relevant date is 18 months after commencement of Part 5-1A Under subparagraph 187H b ii for telecommunications services that the service provider was not already operating when Part 5-1A of the TIA Act commenced the relevant data is 18 months after the time when the service provider started operating the service 294 Subsection 187E 4 provides that a service provider‘s plan must also specify any relevant services of the service provider not covered in the implementation plan and the contact details of relevant employees of service providers in relation to the implementation plan 295 The purpose of paragraph 187E 4 a is to ensure that the implementation plan makes it clear whether relevant services of the service provider are not to be incorporated in the plan This will provide the CAC and any other person considering the plan with information to make an informed decision on the plan 296 Paragraph 187E 4 b also ensures that the relevant employees of the service provider can be contacted directly in relation to the plan Service providers should provide names direct phone numbers and email addresses of staff that have worked on or are responsible for the implementation plan This provision is designed to avoid for example a situation where 56 the CAC or other relevant persons would have to contact the service provider‘s general public contact number to discuss the implementation plan Section 187F—Approval of data retention implementation plans 297 Section 187F sets out the process for the CAC to consider and approve data retention implementation plans 298 Subsection 187F 1 provides that if a service provider submits a plan to the CAC the CAC must either approve the plan and notify the service provider or give the plan back to the service provider for specified amendments The CAC may not refuse to take the plan or decline to consider the plan 299 Subsection 187F 2 sets out a list of factors the CAC must take into account in deciding whether or not to approve a plan submitted by a service provider These factors are 187F 2 a —The desirability of the service provider achieving substantial compliance with its data retention and security obligations as soon as is practicable which would take into account any interim arrangements proposed by the service provider as well as the time by which the provider proposes that each service covered by the plan will be fully compliant 187F 2 b —Whether the proposed implementation plan would reduce the regulatory burden on the service provider made by data retention obligations in Part 5-1A 187F 2 c —If the service provider is not complying with its data retention or security obligations in relation to one or more of its services—the reasons why the service provider is not complying 187F 2 d —The interests of law enforcement and national security 187F 2 e —The objects of the Telecommunications Act The main but not the only objects of the Telecommunications Act as set out in section 3 of that Act are the long-term interests of end-users of carriage services or of services provided by means of carriage services the efficiency and international competitiveness of the Australian telecommunications industry and the availability of accessible and affordable carriage services that enhance the welfare of Australians 187F 2 f —Any other matter the CAC considers relevant 300 Subsection 187F 3 provides that if the CAC does not make a decision and communicate that decision within 60 days it is deemed that the CAC has made and notified the service provider of the decision the service provider asked for The effect of this provision is to ensure that the service provider is required to comply with the implementation plan in lieu of the obligations that otherwise apply under sections 187A This provision does not require the CAC to make a decision within 60 days rather the provision is intended to ensure that service providers have certainty about their obligations and are not required to act in an manner that would pre-empt the CAC‘s decision in situations where the CAC takes more than 60 days to either approve or to request an amendment to the plan 57 301 Subsection 187F 4 qualifies subsection 187F 3 Subsection 187F 4 provides that a deemed decision under subsection 187F 3 is in force only until the CAC makes and communicates to the service provider the CAC‘s actual decision on the application 302 The CAC‘s decision is not reviewable under the Administrative Decisions Judicial Review Act 1977 the ADJR Act as decisions under the TIA Act are not decisions to which the ADJR Act applies see paragraph d of Schedule 1 to the ADJR Act The exclusion of these decisions from the ADJR Act does not prevent decisions made under the TIA Act from being judicially reviewable under paragraph 75 v of the Constitution and s 39B of the Judiciary Act 1901 Cth Section 187G—Consultation with agencies and the ACMA 303 Section 187G sets out the consultation process that the CAC must undertake in relation to data retention implementation plan applications that it receives 304 References to the ‗original plan‘ in section 187G mean references to the data retention plan originally submitted by the service provider under section 187E of the Act rather than to any amended version of the plan created or proposed to be created under the processes set out in section 187G 305 Subsection 187G 1 provides that once the CAC receives an implementation plan application the CAC must give a copy of the plan to the enforcement agencies and security authorities that are likely to be interested in the plan for comment and may give a copy to the Australian Communications and Media Authority the ACMA 306 Subsection 187G 2 governs requests for amendment of a service provider‘s original plan providing that if an enforcement agency or security authority makes a request for amendment of the plan the CAC must consider whether the request is reasonable If the CAC considers the request is reasonable the CAC must give the service provider a copy of the request and may also provide the service provider with a copy of the comment or a summary of the comment The CAC must then request the service provider to respond to the CAC within 30 days after receiving the comment or summary 307 Subsection 187G 2 is intended to ensure that interested enforcement agencies and security authorities have the opportunity to comment on and request amendments to a service provider‘s proposed implementation plan and to require the CAC to provide those requests to the service provider if he or she considers such requests to be reasonable Subsection 187G 2 does not require the CAC to provide a service provider with a copy or summary of the comment accompanying a request as in some cases it will not be appropriate to do so including where the comment relates to sensitive law enforcement or national security matters 308 Subsection 187G 3 provides that a service provider must respond to a request for amendment of its plan that it received under subsection 187G 2 The service provider must either accept the request for amendment by giving the CAC an appropriately amended plan within the 30 day period set out in subsection 187G 2 or indicate that it does not accept the request for amendment and provide its reasons to the CAC 58 309 In the event that a service provider does not comply with the requirement to respond either adequately or at all to the CAC in relation to the request for amendment within the 30 day period subsection 187G 3 should be interpreted to mean that the service provider is taken not to have accepted the request for amendment As the deeming provision under subsection 187F 3 ceases to apply once the CAC notifies a service provider of a request to amend a plan a failure by a service provider to respond to a request for amendment within the required period may result in the service provider being subject to data retention obligations under sections 187A and 187C 310 Subsections 187G 4 and 5 provide for the role of the ACMA in relation to proposed amendment of a service provider‘s implementation plan The purpose of subsections 187G 4 and 5 is to require the CAC to refer disputes over proposed implementation plan amendments to the ACMA for determination by the ACMA 311 Data retention implementation plans are highly technical documents The ACMA is the industry regulator for the telecommunications industry and has substantial expertise relating to the technical and commercial operation of the industry As such the ACMA is the appropriate body to review any dispute over a request to amend a data retention implementation plan 312 Subsection 187G 4 applies in the event the service provider does not accept a request for amendment of its plan If so the CAC must refer the request for amendment to the ACMA along with the service provider‘s response if one was given and request the ACMA to make a determination on the dispute Under subsection 187G 5 the ACMA is then be required to determine in writing either that no amendment of the plan is necessary or that that original plan should be amended The ACMA is only be able to determine that the original plan should be amended if the ACMA considers the amendment request to be reasonable and the service provider‘s response to the request for amendment to not be reasonable In the event that the service provider does not respond or did not respond adequately under subsection 187G 3 prima facie that could be considered not to be a reasonable response The ACMA must then give a copy of its determination to the service provider 313 Subsection 187G 6 sets out what the CAC must do in relation to implementation plans amended by the service provider in accordance with a determination by the ACMA and given to the CAC While no particular timeframe is specified in the subsection for a service provider to provide an amended plan to the CAC the service provider should provide the amended plan within a reasonable period of time A guide for a reasonable period of time would be 30 days The CAC must then either approve the amended plan or refuse to approve the plan In either case the CAC must notify the service provider accordingly 314 While no specific factors are set down in section 187G in making decisions under section 187G the CAC and the ACMA should generally take into account the list of factors in subsection 187F 2 315 Subsection 187G 7 provides that a determination by the ACMA under subsection 187G 5 is not a legislative instrument Subsection 187G 7 is included to assist readers as a determination made by the ACMA under section 187G 5 is not a legislative instrument within the meaning of section 5 of the Legislative Instruments Act 2003 59 Section 187H—When data retention implementation plans are in force 316 Section 187H sets out when data retention implementation plans are in force 317 Paragraph 187H 1 a provides that a data retention implementation plan for a telecommunications service operated by a service provider commences when the CAC notifies the service provider of the CAC‘s approval of the plan which can be either the service provider‘s original plan or an amended plan 318 Paragraph 187H 1 b also sets out that an implementation plan ceases to be in force in relation to a service operated in the following circumstances i ii For telecommunications services that the service provider was already operating when Part 5-1A of the TIA Act commenced the plan ceases to be in force 18 months after commencement of Part 5-1A of the TIA Act For telecommunications services that the service provider was not already operating when Part 5-1A of the TIA Act commenced the plan ceases to be in force 18 months after when the service provider started operating the service 319 Subsection 187H 2 defines the term ‗implementation phase‘ for the purposes of Part 1 of Schedule 1 of the TIA Act as being the period of 18 months starting on the commencement of Part 5-1A Section 187J—Amending data retention implementation plans 320 Section 187J sets out when a data retention implementation plan can be amended The purpose of this provision is to ensure that once approved a data retention implementation plan may only be varied with the consent of both the service provider and the CAC This limitation is intended to provide regulatory certainty for service providers and to ensure that law enforcement and national security interests are considered in relation to any variation 321 Subsection 187J 2 provides that the rules for the CAC to approve implementation plans under section 187F and section 187H also apply to applications for amendments of plans by a service provider under paragraph 187J 1 a as if the amendment application had been an application in relation to an original plan under section 187E This means that the CAC is required to assess proposed amendments of implementation plans under section 187J in the same way as the CAC would assess applications in relation to original plan applications made under section 187E 322 Paragraph 187J 3 a provides that an amendment to a data retention implementation plan comes into force when the CAC notifies the service provider of the approval of an amendment or when the service provider agrees to an amendment requested by the CAC Paragraph 187J 3 b provides that an amendment to a data retention plan cannot reduce or extend the period for which the implementation plan is in force although an amended plan could specify that full compliance will be achieved prior to the end of period for which the plan is in force 60 Division 3 of Part 5-1A—Exemptions Section 187K—The Communications Access Co-ordinator may grant exemptions or variations 323 Section 187K provides that the CAC may exempt a service provider from the mandatory data retention and information security obligations imposed on the service provider under Part 5-1A of the TIA Act or vary the obligations that the service provider is subject to The CAC may grant this exemption or variation on his or her own volition or on application by a service provider 324 This exemption and variation scheme is intended to permit exemptions or variations to be granted in a range of circumstances including where imposing data retention obligations for a particular relevant service would be of limited utility for law enforcement and national security purposes 325 The scheme provided by this section is modelled on existing sections 192 and 193 of the TIA Act which provide that the CAC or the ACMA may grant exemptions in relation to the interception capability obligations of service providers 326 Subsection 187K 1 provides that the CAC may make a determination in relation to a specified service provider that removes or varies any or all of the mandatory data retention or information security obligations removes or varies any or all of the mandatory data retention or information security obligations imposed on the service provider under Part 5-1A for a particular kind of relevant service or reduces the data retention period or the extent of the information security obligations either generally or in relation to data that relates to a particular kind of relevant service 327 A variation must not however impose obligations that would exceed the obligations to which a service provider would otherwise be subject to under sections 187A 187BA and 187C 328 The decision of the CAC may be expressed broadly In making a determination the CAC may specify service providers in any way for example by reference to a class of service providers and is not required to refer specifically to individual service providers For example the CAC may specify that any service provider that provides Internet Protocol television IPTV services is not required to retain any data in relation to its IPTV service Similarly an exemption or variation may be expressed to apply to a class of obligations 329 Subsection 187K 1 ensures that determinations can be properly nuanced by vesting the CAC with the ability to elaborate either to particular service providers or generally how the data retention obligations introduced by Part 5-1A should apply to particular technologies For example a determination could exempt the retention of specific information relating to satellite or mobile internet services Those services create different types of data therefore it is appropriate to have a method of providing greater certainty to service providers about how high-level obligations apply to diverse technologies 61 330 The data retention obligations under Part 5-1A may cover services that are of limited or no relevance to law enforcement or national security These could include services relating to IPTV content on demand the leasing of dark fibre and machine-to-machine communications Subsection 187K 1 recognises that in certain instances a service provider may not achieve complete technical compliance in relation to a particular service or some aspect of that service or that the non-compliance has limited implications for law enforcement or national security agencies 331 The decision of the CAC to grant an exemption or variation is not reviewable under the Administrative Decisions Judicial Review Act 1977 the ADJR Act as decisions under the TIA Act are not decisions to which the ADJR Act applies see paragraph d of Schedule 1 to the ADJR Act The exclusion of these decisions from the ADJR Act does not prevent decisions made under the TIA Act from being judicially reviewable under paragraph 75 v of the Constitution and section 39B of the Judiciary Act 1901 Cth 332 Subsection 187K 2 provides that the CAC‘s decision must be in writing 333 Subsection 187K 3 provides that the CAC‘s decision may be unconditional or subject to such conditions as specified in the decision Such conditions may include limits on the time for which the exemption or variation applies limits on the numbers of customers or the geographic scope of a particular type of service or requirements for ongoing consultations with agencies 334 Subsection 187K 4 provides that a decision made by the CAC under subsection 187K 1 is not a legislative instrument Subsection 187K 4 has been included to assist readers as the instrument is not a legislative instrument within the meaning of section 5 of the Legislative Instruments Act 2003 335 Paragraph 187K 5 a provides that where a service provider applies in writing for a particular decision the CAC must give a copy of the application to affected enforcement agencies or security agencies and may give a copy to the ACMA Where the requested exemption has an impact on the investigative capabilities or regulatory functions of an agency it is appropriate that the CAC consults with that agency 336 Paragraph 187K 5 b provides that if the CAC does not respond to a service provider‘s application within 60 days the decision requested by the service provider is deemed to have been granted to that service provider This provision is intended to ensure that the CAC resolves applications in a timely manner and provides certainty for service providers as to their legal obligations under the TIA Act at any given time 337 Subsection 187K 6 provides that the deemed decision under paragraph 187K 5 b has effect only until the CAC makes and communicates to the service provider a decision on the application This ensures that the deemed exemption is only temporary 338 Subsection 187K 7 requires that in granting an exemption or variation the CAC must take into account the interests of law enforcement and national security which can include the relevance to law enforcement or national security of the services for which an exemption or variation is being sought 62 339 The CAC must also take into account the objects of the Telecommunications Act 1997 15 the main object of which is to provide a regulatory framework that promotes the long-term interests of users of telecommunications services the efficiency and international competitiveness of the Australian telecommunications industry and the availability of accessible and affordable carriage services that enhance the welfare of Australians 340 The CAC must also take into account the service provider‘s history of compliance with Part 5-1A of the TIA Act the service provider‘s costs or anticipated costs of complying with data retention obligations under Part 5-1A and any alternative data retention or information security arrangements that the service provider has identified Such alternative data retention and security arrangements could be formalised as part of an exemption or variation granted by the CAC Service providers are in a unique position to draw to the CAC‘s attention specific cost implications and to suggest alternative compliance arrangements in support of any exemption application 341 Subsection 187K 8 enables the CAC to take into account any other relevant matter when deciding whether or not to grant an exemption or variation which might include relevant technological or industry factors such as the size market share and national security and law enforcement risk profile of the service provider the degree to which an exemption would effectively mitigate costs and minimise impacts on the service provider‘s cash flow and the pre-existing business plans of the service provider 342 Pursuant to section 33 3 of the Acts Interpretation Act 1901 the power to make or grant an instrument of administrative character such as an exemption or variation under subsection 187K is to be taken as including a power to repeal rescind revoke amend or vary any such instrument This power is to be exercised in the same manner and subject to the same conditions if any that applied to the making or granting of the instrument 343 The CAC may seek to exercise the power to repeal or revoke an exemption or variation in a range of circumstances including where an exemption that has been granted on the expectation that it will remain confidential becomes known publicly to a class of persons or to a specific individual in circumstances where that disclosure would have a detrimental impact on the interests of law enforcement and national security Section 187KA– Review of exemption or variation decisions by the ACMA 344 Section 187KA implements recommendation 15 of the 2015 PJCIS Report 345 The ACMA has the ability to determine disputes in relation to applications for data retention implementation plans including applications for amendment This item provides the ACMA with the additional role to determine disputes when a service provider has applied 15 See section 3 of the Telecommunications Act 1997 63 to the CAC for an exemption or variation from the data retention obligations As such section 187KA ensures a consistent approach to disputes between the CAC and service providers regarding the application of data retention obligations Division 4 of Part 5-1A—Miscellaneous Section 187KB—Capital contribution 346 Section 187KB supports the implementation of recommendation 16 of the 2015 PJCIS Report on the Bill 347 This section provides legislative authority for the Commonwealth to grant financial assistance to service providers to assist them to comply with obligations imposed by the data retention scheme The terms and conditions of the financial assistance are to be set out in agreements entered into with service providers on behalf of the Commonwealth The financial assistance is to be provided out of money appropriated by the Parliament Section 187L—Confidentiality of applications for exemptions etc 348 Subsection 187L 1 places an obligation on the CAC to treat a service provider‘s application for a data retention implementation plan or an exemption from the data retention obligations as confidential and must not disclose the service provider‘s application without the written permission of the service provider This prohibition does not apply to disclosure to the ACMA an enforcement agency or a security authority It is appropriate that the CAC is able to consult with affected agencies and the ACMA about such applications 349 Subsection 187L 1A requires the ACMA to keep confidential any application by a service provider for a review that it receives under subsection 187KA 1 The ACMA is unable to disclose the service provider‘s application without the written permission of the service provider 350 However this confidentiality requirement does not prevent the ACMA providing the application to the CAC and relevant enforcement agencies and security authorities as subsection 187KA 3 requires the ACMA to provide those agencies or authorities with a copy of the application This ensures that those agencies and authorities are appropriately consulted 351 A service provider‘s application for a review includes details about specific business processes such as technical network infrastructure specifications which may be commercially sensitive The obligation on the ACMA as well as any agencies or authorities that the application was disclosed to to treat such applications as confidential reflects the sensitivity of the information contained in such applications from both a commercial and security perspective 352 Subsection 187L 2 provides that where a copy of an application is disclosed to the ACMA an enforcement agency or a security authority that body must treat the copy as confidential and may not disclose it to any other person or body without the written permission of the carrier This subsection is modelled on section 202 of the TIA Act 64 353 Subsection 187L 2 introduces new confidentiality requirements in subsection by requiring the ACMA the CAC and any enforcement agency or security authority to keep confidential any copy it receives of a service provider‘s application for approval of a data retention implementation plan exemption from or variation of data retention obligations and review of a CAC decision in relation to exemption or variation of data retention obligations 354 This item ensures that the CAC and any enforcement agencies or security authorities keep confidential copies of exemption review applications they receive from the ACMA under section 187KA 3 355 This item also refers to paragraph 187G 1 a to ensure that the ACMA is required to keep confidential copies of data retention implementation plan applications it receives from the CAC under subsection 187G 1 The ACMA receives such copies under subsection 187G 1 rather than paragraph 187G 1 a Enforcement agencies and security authorities continue to be required to keep copies of such applications they receive under subsection 187G 1 confidential 356 A service provider‘s application for an exemption includes details about specific business processes such as technical network infrastructure specifications which would be commercial-in-confidence The obligation on the CAC as well as any agencies that the application was disclosed to to treat such applications as confidential reflects the sensitivity of the information contained in such applications from both a commercial and national security perspective 357 Section 187L does not require service providers to keep applications approved implementation plans or exemptions confidential However revealing the existence of the fact that a service provider is not subject to data retention obligations under section 187A and 187C in relation to a particular relevant service may give rise to new or increased law enforcement and national security risks that may in all of the circumstances justify the CAC revoking an exemption Section 187LA—Application of the Privacy Act 1988 358 Section 187LA implements recommendations 24 and 35 of the 2015 PJCIS Report 359 Subsection 187LA 1 provides that the Privacy Act applies in relation to a service provider to the extent that the activities of the service provider relate to retained data The effect of this provision is that the Privacy Act and the Australian Privacy Principles APPs applies to all service providers as though they were ‗organisations‘ including service providers that would otherwise be exempt from the Privacy Act under the ‗small business operator‘ ‗registered political party‘ ‗agency‘ ‗State or Territory authority‘ or ‗prescribed instrumentality of a State or Territory‘ exemptions contained in section 6C of the Privacy Act However this provision applies only to the extent that the activities of the service provider relate to retained data including for example the collection storage use disclosure including cross-border disclosure individual access de-identification and destruction of retained data 65 360 Subsection 187LA 2 provides that information or documents kept under Part 5-1A are taken to be ‗personal information‘ within the meaning of the Privacy Act relating to an individual if the information relates to the individual or to a communication to which the individual is or was a party Under the standard definition of personal information what constitutes personal information will vary depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances As a result not all information held by service providers may fall within the standard definition of personal information This item expands the definition of personal information ensuring that all retained data kept by service providers in accordance with Part 5-1A is personal information within the meaning of the Privacy Act 361 As a result of section 187LA individuals can request access to their personal retained data in accordance with APP 12 removing uncertainty about whether particular types of retained data are personal information This right of access continues to be subject to the Privacy Act and APPs In particular service providers can charge an individual for giving access in accordance with APP 12 8 Where an individual requests access to information about communications to which they were a party that information will generally also be the personal information of at least one other individual being the other party to the communication 362 Regarding cost recovery in civil litigation proceedings service providers are already able to apply for reimbursement once they have been served with a subpoena to produce evidence In civil litigation proceedings cost recovery is subject to the relevant court rules and procedures as for example section 15A 10 of the Federal Circuit Court Rules 2001 Service providers are also required to comply with the information security obligations contained in APP 11 1 in relation to all retained data and are required to de-identify or destroy retained data at the expiry of the retention period unless one of the circumstances in paragraphs b c or d of APP 11 2 applies Section 187M—Pecuniary penalties and infringement notices 363 Section 187M provides that the data retention obligations set out in subsection 187A 1 and the obligations under data retention implementation plans under paragraph 187D a are civil penalty provisions for the purposes of the Telecommunications Act This provision makes clear that the telecommunications data retention regime and data retention implementation plans are enforceable under the applicable enforcement mechanisms set out in the Telecommunications Act 364 The Telecommunications Act already requires compliance with carrier licence conditions for carriers or service provider rules for carriage service providers which require amongst other things compliance with Chapter 5 of the TIA Act 365 Enforcement options available in the Telecommunications Act for non-compliance with the data retention regime or a data retention implementation plan would include remedial directions formal warnings and pecuniary penalties 366 Infringement notices are notices issued to carriers carriage service providers C CSPs by the ACMA in relation to contravention of civil penalty provisions of the Telecommunications Act which can include for these purposes the TIA Act The notices are designed as a more efficient means of dealing with certain penalty provisions as an alternative to instituting court proceedings for the recovery of a pecuniary penalty 66 367 Subsection 572E 1 of the Telecommunications Act provides that the ACMA can issue an infringement notice if a C CSP has contravened a civil penalty provision Section 187M defines the data retention obligations in subsection 187A 1 and the data retention implementation obligations in paragraph 187D a as civil penalty provisions This means the ACMA can issue infringement notices in relation to contraventions of these provisions 368 Subsections 572E 6 to 9 of the Telecommunications Act refer to a process for declaring contraventions of certain carrier licence conditions and service provider rules under the Telecommunications Act before the ACMA can issue infringement notices in relation to those matters It is not be necessary for the ACMA to declare contraventions of subsection 187A 1 or paragraph 187D a of the TIA Act to be listed infringement notice provisions before the ACMA can issue infringement notices in relation to these matters This is because section 187M of the TIA Act declares these provisions to be civil penalty provisions in their own right Section 187N—Review of operation of Part 369 Section 187N ensures that after the data retention regime has been in operation for a sufficient period of time a Parliamentary review will be conducted to ensure the regime is operating appropriately and effectively 370 Section 187N provides that the PJCIS must complete its review of the operation of Part 5-1A of the TIA Act by the third anniversary of the end of the implementation phase for data retention obligations Subsection 187N 2 requires the PJCIS to give the Minister a written report of the review This requirement is not intended to prevent the Chair of the PJCIS from tabling that report in Parliament 371 Section 187N gives effect to the relevant part of recommendation 43 of the 2013 PJCIS Report as modified by the 2015 PJCIS Report that the effectiveness of any mandatory data retention regime be reviewed by the PJCIS three years after its commencement 372 Subsection 187N 1A requires the PJCIS to start its review of the data retention regime on or before the second anniversary of the end of the implementation phase and conclude that review on or before the third anniversary of the end of the implementation period The PJCIS recommended that the commencement date for the review be reduced from three years to two In 2015 the PJCIS also recommended that its report on the review be presented to Parliament no later than three years after the end of the implementation period 373 Subsection 187N 1A implements recommendation 30 of the 2015 PJCIS Report specifying that the review must start on or before the second anniversary of the end of the implementation phase and finish on or before the third anniversary of the end of the implementation phase 374 The requirement under subsection 187N 2 for the Committee to provide the Minister with a copy of the report is not intended to preclude the Chair of the Committee from tabling that report in Parliament 375 Subsections 187N 3 4 and 5 require the head of an agency to keep until the PJCIS review of the data retention scheme is completed a copy of all authorisations made under Chapter 4 of the TIA Act a copy of all journalist information warrants and 67 authorisations made under those warrants made under Chapter 4 of the TIA Act as well as information reported each year to the Minister relating to the agency‘s access to historic telecommunications data This ensures that the PJCIS review of the data retention scheme in section 187N will have access to comprehensive information held by agencies on their access to telecommunications data 376 These subsections implement recommendation 31 of the 2015 PJCIS Report that agencies be required to collect and retain information necessary to inform the Committee‘s review of the data retention scheme Section 187P—Annual reports 377 Section 186 of the TIA Act lists the information enforcement agencies must provide to the Minister about data authorisations This information is included in the Annual Report about the use of powers under the TIA Act prepared under Part 2-8 of the TIA Act and tabled by the Minister in each House of the Parliament 378 Subsection 187P 1 provides that the Minister must prepare a written report on the operation of Part 5-1A regarding data retention obligations for each financial year Subsection 187P 1A implements recommendation 33 of the 2015 PJCIS Report by requiring that the Annual Report prepared under subsection 187P 1 contain information on the costs incurred by service providers in complying with their obligations and the use of data retention implementation plans 379 Subsection 187P 2 requires that the report be included in the Annual Report under subsection 186 2 of the TIA Act which enables the Minister to include any information in the Annual Report that the Minister considers appropriate 380 Subsection 187P 3 requires that the report under subsection 187P 1 must not be made in a manner that would be likely to identify a person 381 Section 187P implements the relevant part of Recommendation 43 of the 2013 PJCIS Report that if data retention is implemented there should be an annual report to Parliament on the operation of the scheme The requirement to report on the regime is consistent with the general reporting and accountability obligations already contained in the TIA Act 68 PART 2—OTHER AMENDMENTS Australian Security Intelligence Organisation Act 1979 Items 1A 1B 1C and 1D—Section 4 and subsection 94 382 These items amend the Australian Security Intelligence Organisation Act 1979 ASIO Act to implement the Government‘s response to recommendation 33 of the 2015 PJCIS Report insofar as it applies to ASIO that annual reports on the data retention scheme will cover certain matters These relate to the number and types of purposes of authorisations to access retained data lengths of time for which relevant documents covered by the authorisations were held and the number of authorisations that related to subscriber data and communications traffic data respectively 383 These items amend the reporting requirements in subsection 94 2A of the ASIO Act to ensure that these matters are included in ASIO‘s annual reports in relation to ASIO‘s telecommunications data access Subsection 94 2A is amended to include the number of journalist information warrants issued during the reporting period and the number of authorisations made under those journalist information warrants Annual reports including this information are subject to Minister‘s discretion under subsection 94 5 to make deletions from the report to be tabled in Parliament in accordance with subsection 94 4 in order to avoid prejudice to security defence international affairs or the privacy of individuals The Inspector-General of Intelligence and Security IGIS can request classified annual reports in accordance with the Inspector-General of Intelligence and Security Act 1986 the IGIS Act Intelligence Services Act 2001 384 These items amend the Intelligence Services Act 2001 the ISA principally to implement the Government‘s response to recommendation 34 of the 2015 PJCIS Report The PJCIS recommended it be conferred a new statutory function in section 29 of the ISA enabling it to conduct inquiries into the purpose and manner of access of retained data by ASIO and the AFP arising from relevant annual reports made on the data retention scheme 385 Consistent with this division of responsibilities items 1E-1G confer upon the PJCIS a new function to conduct a review of the overall effectiveness of the operation of the data retention scheme in relation to the activities of ASIO and the AFP in relation to AFP investigations under Part 5 3 of the Criminal Code 1995 where those activities are the subject of the relevant annual reporting requirements applying to ASIO and the AFP under the ASIO Act and TIA Act respectively The PJCIS can also inquire into operational matters concerning the relevant data access activities of ASIO covered in their annual report and the AFP covered in the TIA Act annual report to the extent that such operations are relevant to the Committee‘s overall assessment of the effectiveness of the data retention scheme in Part 5-1A of the TIA Act Item 1E—Section 3 386 Item 1E inserts definitions of terms in section 3 of the ISA ‗retained data activity‘ and ‗service provider‘ which are used in the provisions of section 29 conferring the PJCIS‘s new function 69 Item 1F—After paragraph 29 1 bb 387 Item 1F inserts paragraphs 29 1 bc bd and be Paragraph 29 1 bc makes explicit that it is a statutory function of the PJCIS to conduct its review of the data retention scheme under s 187N of the TIA Act following completion of the implementation phase Paragraphs 29 1 bd and be provide respectively for the PJCIS‘s new inquiry function of the data retention activities of ASIO and the AFP in relation to investigations under Part 5 3 of the Criminal Code in response to recommendation 34 of the 2015 PJCIS Report The scope of the new inquiry function in paragraph 29 1 be in relation to the activities of the AFP pertaining to Part 5 3 of the Criminal Code is consistent with the PJCIS‘s existing functions in relation to the AFP under subsection 29 1 of the ISA 388 Subsection 29 3 of the ISA reflects that it is not a function of the PJCIS to examine operational matters or matters beyond those pertaining to intelligence and security That existing provision reflects a principle that operational oversight of Australia‘s intelligence security and law enforcement agencies is conducted principally by independent statutory bodies – including the IGIS and the Ombudsman – which report to the relevant responsible Minister Item 1G—At the end of section 29 389 Item 1G sets out the parameters for the PJCIS‘s performance of the new function by inserting subsections 29 4 and 29 5 Subsection 29 4 provides that the PJCIS can examine matters relating to particular operations of ASIO and the AFP with respect to retained data activities covered in the ASIO annual report and the TIA Act annual report respectively This is a limited exemption from the prohibitions on inquiring into operational matters in paragraphs 29 3 c and 29 3 k 390 Paragraph 29 5 a provides that the PJCIS‘s examination of particular operational matters under subsection 29 4 is to be performed for the sole purpose of assessing and making recommendations about the overall operation and effectiveness of the data retention scheme Paragraph 29 5 c also makes explicit that the new function cannot be performed for any other purpose than that set out in paragraph a of the subsection These provisions are necessary to preserve the focus of the PJCIS on non-operational matters and to avoid overlap or duplication with the operational oversight of the IGIS and Ombudsman while also enabling the PJCIS to access operational information for the purpose of performing its new function 391 Paragraph 29 5 b further qualifies that the new inquiry function is limited to the activities of ASIO and the AFP in relation to Part 5 3 of the Criminal Code and does not permit reviewing the activities of ‗service providers‘ as defined in section 3 by reference to that term in the TIA Act This reflects the intention of the PJCIS in recommendation 34 to facilitate Parliamentary oversight of the purpose and manner of access to retained data by ASIO and the AFP 392 All of the PJCIS‘s statutory functions will continue to be governed by the procedural arrangements in Schedule 1 to the ISA These include the protections for operationally sensitive information and other information which if released would or might prejudice national security or foreign relations as set out in Parts 1 and 2 of Schedule 1 The Government further intends to work with the PJCIS to develop practical arrangements for the 70 conduct of its new inquiry function It is anticipated that these working arrangements may address such matters as the timing of inquiries strategies for avoiding overlap with extant oversight activities of the IGIS and Ombudsman and arrangements for requesting providing and protecting operational and other sensitive information Privacy Act 1988 Item 1H—Subsection 6 1 at the end of the definition of personal information 393 Item 1H amends the Privacy Act to insert a note at the end of the definition of ‗personal information‘ contained in subsection 6 1 to draw attention to the extension by the TIA of the meaning of personal information to cover information kept under the data retention scheme Item 1J—Subsection 6C 1 note 394 Item 1J repeals and replaces the existing explanatory note to the definition of ‗organisation‘ in subsection 6C 1 of the Privacy Act This note clarifies that under section 187LA service providers are treated as organisations for the purposes of the Privacy Act in relation to the retention of data under Part 5-1A of the TIA Act Service providers are therefore an ‗APP entity‘ under the Privacy Act and must comply with the APPs in relation to their activities under Part 5-1A of the TIA Act Telecommunications Act 1997 Item 2—Section 7 at the end of the definition of civil penalty provision 395 This item amends section 7 of the Telecommunications Act to clarify that a provision of the TIA Act that is declared to be a civil penalty provision is a civil penalty provision for the purposes of the TIA Act Section 187M of the TIA Act provides that the data retention obligations set out in subsection 187A 1 and data retention implementation plan obligations in paragraph 187D a are civil penalty provisions Item 3—Subsection 105 5A 396 This item amends section 105 of the Telecommunications Act which sets out the matters on which the ACMA must monitor and report in its annual reports This clause repeals and substitutes subsection 105 5A of the Telecommunications Act to provide that the ACMA must monitor and report each financial year to the Minister on The operation of Part 14 of the Telecommunications Act which governs the assistance that carriers carriage service providers and carriage service intermediaries must provide in relation to national security and law enforcement matters and the costs of compliance with Part 14 and The costs of compliance with data retention capability obligations set out in Part 5-1A of the TIA Act 397 Paragraph 105 5A a of the Telecommunications Act is only intended to re-enact the repealed subsection 105 5A of the Telecommunications Act and no change in meaning is intended However paragraph 105 5A a deletes an obsolete reference from subsection 105 5A of the Telecommunications Act to Part 15 of that Act which was repealed by the Telecommunications Interception and Access Amendment Act 2007 71 398 Paragraph 105 5A b of the Telecommunications Act requires the ACMA to monitor and report on the costs of data retention The purpose of paragraph 105 5A b is to provide public accountability about the costs to the telecommunications industry of implementing data retention obligations by providing that the ACMA must monitor and report on these matters Item 3A—After subsection 280 1A 399 Currently subsection 280 1 of the Telecommunications Act provides that the prohibitions on the disclosure of certain communications-related information and documents under Division 2 of Part 13 of that Act do not apply other than where the disclosure is in connection with the operation of an enforcement agency within the meaning of the TIA Act where the disclosure is required or authorised by or under law Item 39 inserts item 3A into Part 2 of Schedule 1 of the Bill that inserts subsections 280 1B and 1C into the Telecommunications Act 400 The effect of subsection 280 1B is that paragraph 280 1 b does not apply in circumstances where all of the criteria specified in paragraphs 280 1B a to c are satisfied Paragraph 280 1B a is satisfied where the disclosure is required or authorised because of a subpoena a notice of disclosure or an order of a court in connection with a civil proceeding 401 Telecommunications data that is retained by service providers for their ordinary business purposes or for other regulatory purposes is currently accessed in the course of many civil proceedings The purpose of paragraph 280 1B b is to ensure that the prohibition applies only to telecommunications data that is collected and retained only for the purpose of complying with Part 5-1A and that is used by the service provider only for that purpose a limited range of defined public interest purposes or for purposes incidental to any of those purposes 402 An example of a purpose incidental to the purpose listed in subparagraph 280 1B c i complying with Part 5-1A of the TIA Act would be to develop test or maintain the systems used to retain data under Part 5-1A An example of a purpose incidental to the purposes listed in subparagraphs 280 1B c ii iii or iv complying with a warrant issued or authorisation made under the TIA Act or with a request or requirement provided for by sections 284 to 288 of the Telecommunications Act or a request to provide a person with access to their personal information under the Privacy Act would be using or disclosing information or documents for the purpose of seeking legal advice in relation to the warrant authorisation request or requirement 403 This provision thereby ensures that telecommunications data that is collected retained or used for a service provider‘s ordinary business purposes or other purposes unrelated to the data retention obligation continues to be available for such proceedings 404 Paragraph 280 1C a provides that the prohibition contained in subsection 280 1B does not apply in circumstances of a kind prescribed by the regulations As noted above telecommunications data is currently accessed by parties to many civil proceedings including proceedings relating to international child abduction family violence and personal injury or economic harm as a result of negligence or professional malpractice As the requirement for access depends substantially on the facts and circumstances of each individual civil proceeding any limit on the availability of such information would have the potential to prejudice the legitimate rights and interests of claimants or respondents in such proceedings 72 Therefore a regulation-making power is required to enable the creation of regulations to prescribe further circumstances for where the prohibition in paragraph 280 1B would not apply 405 Paragraph 280 1C b provides that the prohibition contained in subsection 280 1B does not apply in relation to disclosures to enforcement agencies A number of enforcement agencies currently obtain access to telecommunications data in the course of civil proceedings such as actions for the proceeds of crime or in relation to control orders made under Division 104 of the Criminal Code 406 Paragraph 280 1C c provides that the prohibition contained in subsection 280 1B does not commence until the end of the implementation phase for Part 5-1A of the TIA Act This provision ensures that the prohibition does not commence until the data retention scheme is implemented Item 3B—Section 281 407 This item corrects a drafting error by inserting ― 1 ‖ before the ―Division 2‖ in section 281 of the Telecommunications Act 1997 Item 3C—At the end of section 281 408 Currently section 281 of the Telecommunications Act provides that the prohibitions on the disclosure of certain communications-related information and documents under Division 2 of Part 13 of that Act do not apply in relation to a disclosure made by a person of information or a document if the person makes the disclosure as a witness summoned to give evidence or to produce documents 409 Item 3B inserts item 3C to Part 2 of Schedule 1 of the Bill that inserts subsections 281 2 and 3 to the Telecommunications Act The purpose of these subsections is substantially similar to the purpose of subsections 280 1B and 1C of the Telecommunications Act being to prohibit the disclosure by a witness in civil proceedings of information or documents that have been kept by a service provider solely for the purpose of complying with Part 5-1A of the TIA Act and that are not used by the service provider only for that purpose a limited range of defined public interest purposes a purpose prescribed by the regulations or for purpose incidental to the abovementioned purposes 410 Subsection 281 3 contains exceptions to this prohibition which are similar to those in subsection 280 1C In particular paragraph 281 3 a contains a regulation-making power which has the same purpose as the regulation-making power that would be established by paragraph 280 1C a Item 4—Subsection 314 8 411 Section 314 of the Telecommunications Act concerns the terms and conditions on which carriers carriage service providers and carriage service intermediaries must provide reasonably necessary assistance in relation to national security and law enforcement matters 412 Subsection 314 8 of the Telecommunications Act clarifies that certain obligations set out in the TIA Act are not included within the provisions of section 314 of the Telecommunications Act This item amends subsection 314 8 of the Telecommunications 73 Act to provide that section 314 of the Telecommunications Act does not apply in relation to data retention capability obligations set out in Part 5-1A of the TIA Act Telecommunications Interception and Access Act 1979 Item 5—Subsection 5 1 Definition of ‘Defence Minister’ 413 This item inserts a definition of ‗Defence Minister‘ into subsection 5 1 of the TIA Act The ‗Defence Minister‘ has the meaning given in the Intelligence Services Act 2001 Definition of ‘Foreign Affairs Minister’ 414 This item inserts a definition of ‗Foreign Affairs Minister‘ into subsection 5 1 of the TIA Act The ‗Foreign Affairs Minister‘ has the meaning given in the Intelligence Services Act 2001 Definition of ‘IGIS official’ 415 This item inserts a definition of the term ‗IGIS official‘ into subsection 5 1 of the TIA Act An ‗IGIS official‘ has the meaning given in section 4 of the Australian Security Intelligence Organisation Act 1979 Definition of ‘implementation phase’ 416 This item also inserts a definition of ‗implementation phase‘ by stating it has the meaning given in subsection 187H 2 which states the implementation phase is the period of 18 months starting on the commencement of the data retention obligations Definition of ‘infrastructure’ 417 This item inserts a definition for the term infrastructure into subsection 5 1 of the TIA Act It defines infrastructure as it is used in paragraph 187A 3 c to mean any line or equipment used to facilitate communications across a telecommunications network 418 The term infrastructure is used as part of the three limb test in paragraphs 187A 3 a b and c which defines a relevant service ‗Equipment‘ is defined in section 5 of the Act which states equipment means any apparatus or equipment used or intended for use in or in connection with a telecommunications network and includes a telecommunications device but does not include a line Section 5 of the Act defines ‗line‘ by reference to the definition in the Telecommunications Act Section 7 of the Telecommunications Act states a line is a wire cable optical fibre tube conduit waveguide or other physical medium used or for use as a continuous artificial guide for or in connection with carrying communications by means of guided electromagnetic energy 419 Servers used to operate an ‗over the top‘ service such as VoIP would fall within the definition of infrastructure However ‗infrastructure‘ is not intended to include business 74 premises For example the headquarters of a company taken in isolation would not satisfy the definition of ‗infrastructure ‘ 420 Importantly a piece of equipment or line meeting the definition of infrastructure does not automatically satisfy paragraph 187 3 c For instance a computer used by an employee in a company‘s headquarters or marketing office is not directly involved in the provision of a relevant service and therefore does not satisfy paragraph 187 3 c 421 This item implements recommendation 11 of the 2015 PJCIS Report by defining the term ‗infrastructure‘ in greater detail for the purposes of paragraph 187A 3 c Definition of ‘journalist information warrant’ 422 This item inserts a definition for the term ‗journalist information warrant‘ into subsection 5 1 of the TIA Act A ‗journalist information warrant‘ means a warrant issued under Division 4C of Part 4-1 Definition of ‘Part 4-1 issuing authority’ 423 This item inserts a definition for the term ‗Part 4-1 issuing authority‘ into subsection 5 1 of the TIA Act A ‗Part 4-1 issuing authority‘ is defined as a person whose appointment is in force under section 6DC Definition of ‘Public Interest Advocate’ 424 This item inserts a definition for the term ‗Public Interest Advocate‘ into subsection 5 1 of the TIA Act A ‗Public Interest Advocate‘ is defined as a person declared to be a Public Interest Advocate under subsection 180X 1 Definition of ‘related account service or device’ 425 This item also inserts a definition of ‗related account service or device‘ in relation to a service to which Part 5-1A applies This definition is used in section 187AA Definition of ‘retained data’ 426 This item also inserts a definition for ‗retained data‘ which defines it as information or documents that a service provider is or has been required to keep under Part 5-1A of the TIA Act Definition of ‘service provider’ 427 This item also inserts a definition of ‗service provider‘ by stating it has the meaning given in subsection 187A 1 which provides that it is a person who operates a service to which Part 5-1A applies Definition of ‘source’ 75 428 This item inserts a definition of ‗source‘ into subsection 5 1 of the TIA Act to support the journalist information warrant provisions This definition is expressed not to apply to item 2 of the table in subsection 187AA 1 where source takes on its natural meaning in the context of a telecommunication Item 6—At the end of subsection 6R 3 429 This item amends subsection 6R 3 of the TIA Act to provide that an act done by the CAC is done on behalf of all enforcement agencies in addition to being done on behalf of interception agencies 430 The purpose of this provision is to support the decisions of the CAC in relation to exemptions from the mandatory data retention regime made in relation to enforcement agencies that are not also interception agencies Item 6A—After section 6DB 431 Section 6DC provides that the Minister responsible for the administration of the TIA Act can by writing appoint a judge of the federal court including a judge of the Federal Court of Australia Family Court of Australia or the Federal Circuit Court or a magistrate where those persons have consented in writing to be appointed as an issuing authority to be an issuing authority for the purposes of issuing a journalist information warrant 432 The section also allows the Minister to appoint a person who holds an appointment to the Administrative Appeals Tribunal as Deputy President full-time senior member part-time senior member or member including a part-time or full-time member who is enrolled and has been enrolled for at least 5 years as a legal practitioner of a federal court or of the Supreme Court of a State or Territory for the same purpose Items 6B 6C and 6D—Section 64 433 Item 6B replaces and substitutes the heading of section 64 of the TIA Act with ‗Dealing in connection with Organisation‘s or Inspector-General‘s functions‘ 434 The introduction of specific provisions to the TIA Act permitting a person to deal in information in connection with the performance by the IGIS of his or her functions follows the introduction of similarly specific provisions into the ASIO Act by the National Security Legislation Amendment Act No 1 2014 In that context this item seeks to place beyond doubt that a person may deal in the information described in subsection 64 1 and that an IGIS official and another specified person may deal in the information described in subsection 64 2 in connection with the performance by the IGIS of his or her functions Items 6E and 6F—Section 176 435 These items amend section 176 of the TIA Act which relates to prospective data authorisations made by ASIO Specifically item 6E replaces the current paragraph 176 5 b with two new subparagraphs Subparagraph 176 5 b i states that authorisations under section 176 of the TIA Act end as specified in the authorisation which can be no later than the end of the period of 90 days beginning on the day the authorisation is made Subparagraph 176 5 b ii provides that if the authorisation is made under a journalist information warrant 76 then the end of the authorisation can be no later than the end of the period specified in section 180N being the end of the period for which the warrant is in force 436 In addition item 6F replaces current subsection 176 6 in relation to the revocation of an authorisation where the eligible person is satisfied the disclosure is no longer required with an expanded revocation provision requiring revocation of authorisations made under a journalist information warrant where that warrant was revoked or the Director-General is satisfied the grounds on which the warrant was issued have ceased to exist Items 6G and 6H—Section 180 437 These items amend section 180 of the TIA Act which relates to prospective data authorisations made by criminal law-enforcement agencies Specifically item 6G replaces the current paragraph 180 6 b with two new subparagraphs Subparagraph 180 6 b i states that authorisations under section 180 of the TIA Act end as specified in the authorisation which can be no later than the end of the period of 45 days beginning on the day the authorisation is made Subparagraph 180 6 b ii provides that if the authorisation is made under a journalist information warrant then the end of the authorisation can be no later than the end of the period specified in subsection 180U 3 being the end of period for which the warrant is in force 438 In addition item 6H replaces the current subsection 180 7 in relation to the revocation of an authorisation where the authorised officer is satisfied the disclosure is no longer required with an expanded revocation provision requiring revocation of authorisations made under a journalist information warrant where that warrant was revoked Items 6J and 6K—Section 180F 439 Item 6J amends section 180F of the Act by omitting the requirement that an officer authorising the disclosure of data ‗have regard to whether any interference with the privacy of any person or persons that may result from the disclosure or use is justifiable‘ and inserting a requirement that they ‗be satisfied on reasonable grounds that any interference with the privacy of any person or persons that may result from the disclosure or use is justifiable and proportionate‘ 440 This item implements recommendation 25 of the 2015 PJCIS Report by requiring the authorised officer making an authorisation under Division 4 or 4A of Part 4-1 of the TIA Act to be satisfied on reasonable grounds that any interference with the privacy of any person or persons that may result from the disclosure or use is justifiable and proportionate 441 Item 6K inserts subparagraph 180F aa requiring that the authorised officer must have regard to the gravity of any conduct in relation to which the authorisation is sought including the seriousness of any criminal offence the seriousness of any pecuniary penalty the seriousness of any protection of the public revenue and whether the authorisation is sought for the purposes of finding a missing person when determining whether to disclose or authorise the use of communications 77 Item 6L—After Division 4B of Part 4-1 Division 4C—Journalist information warrants 442 Chapter 4 of the TIA Act regulates how national security and law enforcement agencies may access telecommunications data Item 6A inserts Division 4C after Part 4-1 of the TIA Act The provisions to be inserted by this Part establish a journalist information warrant scheme This scheme requires ASIO and enforcement agencies to obtain a warrant prior to authorising disclosure of telecommunications data to identify a journalist‘s source The effect of Division 4C is to prohibit ASIO and enforcement agencies from making data authorisations for access to a journalist‘s or their employer‘s data for the purpose of identifying a confidential source unless a journalist information warrant is in force 443 The concept of a ‗journalist‘ is intended to replicate the current approach in Division 119 of the Criminal Code as amended by the Counter-Terrorism Legislation Amendment Foreign Fighters Act 2014 Subsection 119 2 3 f of the Criminal Code provides that where a person is working in a professional capacity as a journalist or is assisting another person working in a professional capacity as a journalist they are exempted from the general prohibition from entering or remaining in a declared area Similarly an individual is a journalist under Division 4C if they are working as a journalist in a professional capacity Indicators that a person is acting in a professional capacity include regular employment adherence to enforceable ethical standards and membership of a professional body 444 Subdivision 4C-A establishes that national security and law enforcement agencies are required to obtain journalist information warrants Subdivision 4C-B establishes the procedures for issuing a journalist information warrant to the Organisation Subdivision 4C-C establishes the procedures for issuing journalist information warrants to enforcement agencies Subdivision A—The requirement for journalist information warrants Section 180G—The Organisation 445 Section 180G provides that an eligible person within ASIO must not authorise the disclosure of information or documents under Division 3 relating to a particular person without a journalist information warrant An ‗eligible person‘ is defined under subsections 175 2 and 176 2 of the TIA Act Section 180G applies if that eligible person knows or reasonably believes that particular person is working in a professional capacity as a journalist or is the employer of a journalist and the purpose of making the authorisation is to identify another person the eligible person reasonably believes to be a source Section 180H—Enforcement agencies 446 Subsection 180H 1 provides that an authorised officer of an enforcement agency must not authorise the disclosure of information or documents under section 178 178A 179 or 180 relating to a particular person without a journalist information warrant An ‗authorised officer‘ is defined in subsection 5 1 of the TIA Act 78 447 Subsection 180H 2 provides that an authorised officer of the Australian Federal Police must not authorise the disclosure of information or documents under Division 4A in connection with the enforcement of the criminal law of a foreign country relating to a journalist for the purpose of identifying a source A journalist information warrant is not available for this purpose Subdivision B—Issuing journalist information warrants to the Organisation Section 180J—Requesting a journalist information warrant 448 Section 180J provides that the Director-General of Security may request that the Minister issue a journalist information warrant in relation to a particular person This request must specify the facts and other grounds on which the Director-General considers it necessary to issue the warrant Section 180K—Further information 449 Section 180K provides that the Minister may require the Director-General of Security to provide the Minister within a specified period further information in connection with a request under subdivision B If the Director-General breaches a requirement under subsection 180K 1 the Minister may refuse to consider the request or refuse to take any further action in relation to that request Section 180L—Issuing a journalist information warrant 450 Section 180L provides that after considering a request for a journalist information warrant the Minister must either issue a warrant that authorises the Organisation to make data authorisations in relation to a person who is working in a professional capacity as a journalist or refuse to issue a journalist information warrant 451 The Minister must not issue a journalist information warrant unless the Minister is satisfied that the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of the source having regard to specified factors These include the anticipated privacy interference the gravity of the matter for which the warrant is sought the assistance the information to be sought would provide whether other reasonable methods if any that would be effective to obtain the information have been used any submissions by a Public Interest Advocate on that application and any other relevant matter 452 Subsection 180L 3 provides that a warrant issued under the section may specify conditions or restrictions relating to making authorisations under the authority of the warrant Section 180M—Issuing a journalist information warrant in an emergency 453 Subsection 180M establishes the procedure for the Director-General of Security to issue journalist information warrants in an emergency Subsection 180M 1 provides that the Director-General may only issue an emergency journalist information warrant if authorised to do so by a Minister listed in subsection 180M 4 or if those Ministers listed in subsection 180M 4 are unavailable The Director-General may issue a journalist information warrant if 79 a request under section 180J has been made for the issue of such a warrant in relation to the particular person and the Director-General is satisfied that security will be or is likely to be seriously prejudiced if the Organisation does not obtain access to the relevant information or documents before the journalist information warrant is issued and made available to the Minister The emergency warrant may be issued if to the knowledge of the Director-General the Minister has not made a decision under section 180L and the Minister has not refused to issue the relevant journalist information warrant 454 Subsection 180M 2 provides that the Director-General may not issue a journalist information warrant unless he or she is satisfied as to the matters set out in subsection 180L 2 a and b 455 Subsection 180M 3 enables a Minister listed in subsection 180M 4 to orally authorise the Director-General to issue a journalist information warrant if they are satisfied of the matters listed in paragraphs 180L 2 a and b 456 Subsection 180M 4 provides that where the Director-General is satisfied the Minister is unavailable an oral authorisation may be provided by the Prime Minister Defence Minister and the Foreign Affairs Minister 457 Subsection 180M 5 provides that an emergency authorisation may specify conditions or restrictions relating to issuing the journalist information warrant 458 Subsection 180M 6 requires the Director-General to ensure a written record of the authorisation provided under subsection 180M 3 is made as soon as practicable but no later than 48 hours after the authorisation is given 459 Subsection 180M 7 provides that a journalist information warrant must specify the period for which it remains in force and this period must not exceed 48 hours Subsection 180M 3 does not prevent the Minister from revoking the emergency warrant 460 Subsection 180M 8 provides that the Director-General must provide the Minister with a copy of the warrant and a statement of the grounds on which the warrant was issued and either a copy or the record made under subsection 180M 6 or where a journalist information warrant was issued under subparagraph 180M 1 e ii a summary of the facts of the case justifying the issuing of the warrant 461 Subsection 180M 9 provides that the Director-General must give a copy of the journalist information warrant to the Inspector-General of Intelligence and Security within 3 business days of issuing such a warrant Subsection 180M 10 is intended to ensure subsection 180M 5 has effect despite subsection 185D 1 Section 180N—Duration of a journalist information warrant 462 Section 180N provides that a journalist information warrant issued under this Subdivision must specify the period for which it is to remain in force The specified period must not exceed 6 months Section 180P—Discontinuance of authorisations before expiry of a journalist information warrant 80 463 Section 180P provides that the Director-General of Security must take the necessary steps to discontinue the making of authorisations under a journalist information warrant where the Director-General is satisfied that the grounds on which the warrant was issued no longer exist The Director-General must also advise the Minister who under section 180L is the issuing authority for the Organisation in relation to journalist information warrants 464 These requirements ensure that authorisations do not continue to be made where the grounds that supported the issue of the warrant no longer apply Subdivision C—Issuing journalist information warrants to enforcement agencies Section 180Q—Enforcement agency may apply for a journalist information warrant 465 Section 180Q limits the persons in an enforcement agency who can apply for a journalist information warrant 466 Paragraph 180Q 2 a provides that in the case of enforcement agencies that are also interception agencies authority to apply for a journalist information warrant is limited to the persons that can apply for an interception warrant under subsection 39 2 of the TIA Act 467 Paragraph 180Q 2 b sets out that where an enforcement agency is not an interception agency applications must be made by the chief officer of the agency or an officer of the agency in a management level position that has been nominated by the chief officer of the agency to make applications on the agency‘s behalf This limitation ensures that the need to apply for a journalist information warrant is considered at an appropriately senior level in an agency 468 Subsection 180Q 3 gives the chief officers of enforcement agencies the power to nominate in writing management level offices or positions in their agency the occupants of which can apply on behalf of their agency for a journalist information warrant 469 Subsection 180Q 4 clarifies that nominations made by chief officers under subsection 180Q 3 are not legislative instruments 470 Subsection 180Q 5 specifies that applications for a journalist information warrant on behalf of an enforcement agency may be made in writing or any other form Section 180R—Further information 471 Subsection 180R 1 provides that the issuing authority may require the applicant to provide further information in connection with an application for a journalist information warrant 472 Subsection 180R 2 sets out what happens if the enforcement agency does not provide the information the issuing authority requires under subsection 180R 1 In these circumstances the issuing authority can refuse to consider the application or to take any action or any further action in relation to the application 473 The purpose of section 180R is to ensure that an issuing authority can require an enforcement agency to make available to the issuing agency all relevant and necessary 81 information when considering an application for a journalist information warrant Section 180R also makes it clear the issuing authority is not required to consider or act on such an application if that information is not provided Section 180S—Oaths and affirmations 474 Subsection 180S 1 provides that information given by enforcement agencies to the issuing authority in connection with an application for a journalist information warrant must be given on oath or affirmation 475 Subsection 180S 2 provides that the issuing authority can administer the oath or affirmation or can authorise another person The oath or affirmation may be administered in person by telephone video call video link or audio link 476 The purpose of section 180S is to ensure that information that the enforcement agency gives to the issuing authority in support of an application for a journalist information warrant complies with the requirements of evidence law for witnesses to take an oath or affirmation before giving evidence Section 180T—Issuing a journalist information warrant 477 Section 180T provides that after considering an application for a journalist information warrant under section 180T an issuing authority must either issue a warrant that authorises the requesting agency to make data authorisations in relation to a person who is working in a professional capacity as a journalist or refuse to issue a journalist information warrant 478 The factors that an issuing authority must consider in making a decision are set out in Subsection 180T 2 479 An issuing authority can only issue a journalist information warrant if he or she is satisfied that the warrant is reasonably necessary to enforce the criminal law or locate a person reported as missing to the Australian Federal Police or a State Police Force or enforce a law that imposes a pecuniary penalty or protects the public revenue or investigate serious offences or an offence against a Commonwealth State or Territory law punishable by at least a 3 year imprisonment term 480 The issuing authority must also be satisfied that the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of the source having regard to specified factors These include the anticipated privacy interference the gravity of the matter for which the warrant is sought the assistance the information to be sought would provide whether other reasonable methods if any that would be effective to obtain the information have been used any submissions by a Public Interest Advocate on that application and any other relevant matter 82 Section 180U—Form and content of a journalist information warrant 481 Section 180U requires journalist information warrants issued under the Subdivision to be made in accordance with a form to be prescribed 482 Journalist information warrants must be signed by the issuing authority that issues the warrant and be in the prescribed form Warrants may list any conditions or restrictions that apply to authorisations made under the warrant and must specify the period for which the warrant is in force Under subsection 180U 3 and section 180V journalist information warrants can be in force for up to 90 days commencing the day the warrant is issued 483 Subsection 180U 4 provides that warrants cannot be extended beyond the period they are in force This ensures that any ongoing operational need to investigate the subject of a journalist information warrant is considered afresh by an issuing authority under the criteria set out in section 180U Subsection 180U 5 clarifies that while a journalist information warrant cannot be extended a further warrant can be issued under the TIA Act in relation to a person previously the subject of a warrant under the Act Section 180V—Entry into force of a journalist information warrant 484 Section 180V provides that a journalist information warrant comes into force when it is issued Section 180W—Revocation of a journalist information warrant by chief officer 485 Section 180W outlines the revocation of a journalist information warrant Paragraph 180W 1 a states that the chief officer may revoke such a warrant at any time Paragraph 180W 1 b provides that the chief officer of an enforcement agency must revoke such a warrant if satisfied that the grounds on which the warrant were issued to the agency have ceased to exist Subdivision D—Miscellaneous Section 180X—Public interest advocates 486 Section 180X creates the new role of Public Interest Advocates The Public Interest Advocate role considers and evaluates journalist information warrant applications made by the Organisation and law enforcement agencies pursuant to sections 180L and 180T respectively The Public Interest Advocate can make independent submissions to the Minister in the case of the journalist information warrants made by the Organisation and to the issuing authority in the case of the law enforcement agencies on the proposed undertaking in relation to each application including conditions or restrictions 487 Subsection 180X 1 provides that the Prime Minister must declare one or more persons to be a Public Interest Advocate Subsection 180X 3 enables regulations to be made relating to the role of the Public Interest Advocate to support the discharge of its independent role Subsection 180X 4 clarifies that a declaration of an Advocate is not a legislative instrument 83 Items 6M 6N 6P 6Q 6R 6S 6T and 6U—Sections 181A 181B and 182 488 These items amend the Bill to insert paragraphs into the use and disclosure provisions contained in Part 4-1 Division 6 of the TIA Act These are consequential amendments relating to the implementation of recommendations 27 and 34 of the 2015 PJCIS Report 489 These items ensure that ASIO enforcement agencies IGIS the Commonwealth Ombudsman the Minister and the PJCIS are able to use and disclose authorisations made under Chapter 4 of the TIA Act and associated information for the purposes of the oversight and reporting functions recommended by the PJCIS in its report 490 The introduction of specific provisions to the TIA Act permitting persons to deal in information for the purpose of the IGIS exercising powers or performing functions or duties under the IGIS Act follows the introduction of similarly specific provisions into the ASIO Act by the National Security Legislation Amendment Act No 1 2014 In that context these items seek to place beyond doubt that a person use or disclose the information described in sections 181A 181B and 182 for the purpose of the IGIS exercising powers or performing functions or duties under the IGIS Act Item 6V—At the end of Division 6 of Part 4-1 491 This item inserts sections 182A and 182B in the TIA Act and relates to the introduction of journalist information warrants 492 Section 182A creates an offence where a person discloses or uses a journalist information warrant or information about such a warrant Commission of the offence attracts a penalty of two years imprisonment 493 Section 182B outlines the circumstances in which disclosures and use are permitted An enforcement agency may use or disclose such a warrant or information about such a warrant to a third party for the specified purposes set out in the section Such purposes include enabling the making of submissions under section 180X by a Public Interest Advocate enabling a person to comply with their notification obligations under section 185D or 185DE in relation to journalist information warrants enabling ASIO to perform its functions or to enforce the criminal law the enforcement of a law imposing a pecuniary penalty or the protection of the public revenue In addition a disclosure to and by an IGIS official in connection with the exercising of the powers or performing functions or duties of the IGIS is permitted 494 The note following section 182B indicates that where a person is charged in relation to a contravention of section 182A the defendant bears an evidential burden to demonstrate that the disclosure or use was lawful Item 6W—At the end of section 185 495 Subsection 185 3 ensures that section 185 of the TIA Act does not limit the operation of subsection 187N 3 which relates to the keeping of information for the PJCIS review into the data retention scheme 84 Item 6X—After section 185C 496 Sections 185D and 185E in the TIA Act implement the Government‘s responses to recommendations 27 and 34 of the 2015 PJCIS Report Consequential on the introduction of journalist information warrants the provisions require agencies‘ to provide a copy of journalist information warrants to the Minister IGIS and Ombudsman 497 Section 185D requires the Director-General of Security and the Commissioner of the Australian Federal Police to provide copies of journalist information warrants to the IGIS or the Ombudsman if applicable as soon as practicable after they are made The Commissioner of the Australian Federal Police is required to give the Minister a copy of the warrant as soon as practicable and the Minister must then notify the PJCIS that such a warrant has been issued 498 Furthermore section requires the Director-General of Security and the chief officers of enforcement agencies to provide the IGIS or Ombudsman as applicable with copies of authorisations made under those warrants as soon as practicable after the expiry of the warrant 499 Subsections 185D 1 2 5 and 6 ensures that the relevant independent oversight bodies the IGIS and Ombudsman are provided with copies of journalist information warrants and authorisations made under those warrants The IGIS and Ombudsman can then undertake relevant oversight activities in relation to the warrants and subsequent authorisations under their governing legislation – the IGIS Act and in the case of the Ombudsman the TIA Act 500 Subsections 185D 3 and 185D 7 impose obligations on the Minister in relation to reports provided by the IGIS or Ombudsman concerning journalist information warrants and authorisations made as a result In the event that the IGIS or the Ombudsman exercise their oversight functions in relation to relevant warrants and authorisations and report to the responsible Minister in accordance with their governing legislation the Minister is then required to provide copies of those oversight reports to the PJCIS as soon as practicable after receiving them from the IGIS or the Ombudsman 501 The PJCIS can then request the IGIS or the Ombudsman to brief it on the relevant oversight report 502 Section 185E implements recommendation 34 of the 2015 PJCIS report It imposes corresponding obligations to those in section 185D on the Minister after receiving oversight reports from the IGIS or the Ombudsman in relation to the purpose and manner of access to data by ASIO or the AFP generally 503 The Minister must provide any oversight reports to the PJCIS as soon as practicable after receiving them from the IGIS or Ombudsman and the PJCIS may request the IGIS or Ombudsman to brief it on the relevant oversight report 504 These amendments ensure that the PJCIS has visibility of the outcomes of independent oversight of authorisations undertaken by the IGIS and Ombudsman under those bodies‘ governing legislation Importantly the amendments also preserve the independent discretion of these oversight offices in setting their oversight priorities and performing their 85 statutory functions The amendments further maintain the established lines of reporting as between the IGIS and the Ombudsman and the relevant responsible Minister 505 The ability of the PJCIS to request briefing on the outcomes of oversight in relation to the retained data activities of ASIO and the AFP under Part 5 3 of the Criminal Code is consistent with its existing ability to seek briefings from relevant entities including the IGIS under section 30 of the ISA Items 6Y and 6Z—End of subsection 186 1 506 Items 6Y and 6Z amend section 186 of the TIA Act which relates to the information required of agencies in reporting to the Minister That information is included in the TIA Act Annual Report which is tabled in Parliament each year 507 The report includes information about agency‘s use of powers under the TIA Act including information about interception warrants warrants for access to stored communications and authorisations for access to telecommunications data Items 6Y and 6Z expand the list of required information in accordance with recommendation 33 of the 2015 PJCIS Report and require the number of journalist information warrants issued during the reporting period and the number of authorisations made under those journalist information warrants 508 Subsection 186 1E provides the Minister with a declaration-making power to declare additional kinds of information that must be provided under section 186 1 86 PART 3—APPLICATION PROVISIONS Item 7—Existing information and documents 509 Subitem 1 provides that the requirements on service providers to keep data contained in Schedule 1 apply in relation to information and documents already being kept by service providers immediately before the commencement of this item where the service provider had not already kept the information or documents for longer than the retention period specified by section 187C 510 This ensures that any existing information and documents that have been in existence for less than two years will be retained by service providers and will remain available for law enforcement and national security purposes 511 These obligations may be modified under a data retention implementation plan or an exemption approved under Part 5-1A 512 Subitem 2 is intended to provide clarification that the requirement in subitem 1 to retain existing information and documents does not require a service provider to create any information or document that was not already created by the operation of a carriage service before the commencement of this item 513 The data retention requirements contained in Part 5-1A as inserted by Item 1 of Schedule 1 do not have retrospective application Item 8—Reducing the period for keeping information or documents 514 This item commences on Royal Assent and requires that service providers must not reduce the length of time for which they retain information or documents that are subject to data retention obligations under Part 5-1A in the period between Royal Assent and the commencement of Part 5-1A 515 The purpose of this item is to prevent any further degradation of industry retention practices prior to the commencement of Part 5-1A 516 This item interacts with the implementation planning and exemption frameworks An implementation plan approved under section 187F or an exemption granted under section 187K may modify the period for which a service provider is after the commencement of Part 5-1A required to keep or cause to be kept information or documents under Part 5-1A As such where a service provider has an implementation plan approved or is granted an exemption prior to the commencement of Part 5-1A the provider is permitted to keep the information or documents covered by that plan or exemption for the period specified in that plan or exemption even if that period is shorter than the period for which the service provider kept that information or those documents at Royal Assent 517 This item is taken to be a civil penalty provision for the purposes of the Telecommunications Act 87 Item 9—Applications made before commencement of Part 5-1A 518 Subitem 9 1 provides that at any time after this legislation receives the Royal Assent a service provider may apply to the Communications Access Co-ordinator the CAC for either or both of the following a i approval of a data retention implementation plan ii an amendment of a data retention implementation plan and b a decision to exempt the service provider from any or all of the obligations under subsection 187K 1 or 187KA 2 519 This enables service providers to seek approval of plans and to facilitate a decision by the CAC on the request before the commencement of the data retention obligations At any time after this legislation receives the Royal Assent a service provider may apply to the ACMA for review of a decision by the CAC on an application by the service provider to exempt the service provider from some or all of its data retention obligations However the service provider is not able to apply to the ACMA unless and until the CAC has made such a decision This implements recommendation 15 of the 2015 PJCIS Report in relation to the period after Royal Assent of the legislation but prior to commencement of the legislation 520 Subitem 9 2 provides that paragraph 1 a of this item application for the approval of a data retention implementation plan after the Royal Assent does not apply unless the application would if it had been made after the commencement of Part 5-1A have complied with the requirements for applying for the approval of data retention implementation plans under section 187E 521 The effect of this subitem is to require that applications by a service provider made prior to the commencement of the main data retention amendments for the approval of a data retention implementation plan must still comply with the requirements for such an application under section 187E Item 10—Decisions made before commencement of Part 5-1A 522 Subitem 10 1 provides that the power of the CAC to make decisions under sections 187F approval of data retention implementation plans 187G consultation with interception agencies and the ACMA 187J amending data retention implementation plans 187K exemptions and 187KA the ACMA powers to review CAC decisions is taken for the purposes of section 4 of the Acts Interpretation Act 1901 AIA to be a power to make an instrument of an administrative character 523 Section 4 of the AIA allows for the exercise of powers of an administrative character conferred by an Act before the commencement of that Act 524 The ability of the CAC to make these decisions before the commencement of Part 51A as inserted by Item 1 of Schedule 1 of this legislation ensures that the data retention scheme will be fully effective upon the commencement of the main amendments 525 Subitem 10 2 is a transitional application provision It provides that subsection 187F 3 applies in relation to applications for the approval of data retention 88 implementation plans made before the commencement of Part 5-1A as if references in that subsection to 60 days were references to the number of days provided for in subitem 4 of this item 526 Subsection 187F 3 provides that a service provider‘s application to the CAC for the approval of a data retention implementation plan is deemed to have been granted if the CAC does not make a decision within 60 days 527 Subitem 10 3 is a transitional application provision It provides that paragraph 187K 5 b applies in relation to applications for exemptions made before the commencement of Part 5-1A as if references in that subsection to 60 days were references to the number of days provided for in subitem 4 528 Subsection 187K 5 provides that a service provider‘s application to the CAC for an exemption from the data retention obligations under section 187A is deemed to have been granted if the CAC does not make a decision within 60 days 529 Subitem 10 4 provides that for the purposes of subitems 10 2 and 3 the number of days is the period between the day the application was made and the day immediately before Part 5-1A commences and 60 days whichever is greater 530 Subitems 10 2 and 3 have the effect of providing the CAC with at least 60 days to consider applications before an approval is deemed This time period ensures that the CAC has sufficient time to properly consider any applications received prior to the commencement of Part 5-1A Item 11—Keeping information or documents before commencement of Part 5-1A 531 This item provides that a service provider may keep or cause to be kept the information or documents the service provider is required to keep or cause to be kept under the data retention obligations contained in Part 5-1A as inserted by Item 1 of Schedule 1 before the commencement of those data retention obligations 532 Australian Privacy Principles 3 2 and 11 2 prohibit entities from collecting and retaining data that is not reasonably necessary for its functions or activities in the absence of a legislative obligation which do not exist until the data retention obligations commence to do so 533 However it may be more commercially efficient for a carrier to commence retaining data at some point prior to the commencement of the data retention obligations For example if a carrier designs and builds a new data retention system it may wish to shut down its existing system and transition to the new system prior to the commencement date to save on capital and operating costs 534 This provision ensures that service providers are not in breach of their obligations under the Privacy Act 1988 should they retain relevant data before the commencement of the data retention requirements 89 Item 12—First reporting period after commencement of Part 5-1A 535 This item provides that in the first annual reporting period following the commencement of the Bill ASIO and enforcement agencies are only required to comply with annual reporting requirements introduced by the Bill on a prospective basis That is agencies are not required to report on matters that occurred before commencement of the legislative requirements 90 SCHEDULE 2— RESTRICTING ACCESS TO STORED COMMUNICATIONS AND TELECOMMUNICATIONS DATA Overview of measures 536 This Schedule amends the Telecommunications Interception and Access Act 1979 the TIA Act to limit the types of agencies that can apply for stored communications warrants under Part 3-3 of Chapter 3 of the TIA Act and the types of authorities and bodies that can authorise the disclosure of telecommunications data under Division 4 Part 4-1 of Chapter 4 of the TIA Act 537 These amendments recognise the widespread community acceptance and use of stored communications including text messages and emails and the greater privacy sensitivity of these communications which reveal content and the substance of a person‘s discussions with others compared to telecommunications data Currently authorities and bodies that are an ‗enforcement agency‘ can apply to an independent issuing authority appointed under section 6DB of the TIA Act for a stored communications warrant to investigate a ‗serious contravention‘ of the law While this requirement limits the availability of stored communications warrants to enforcement agencies that investigate offences with at least a three year imprisonment penalty or a fine of at least 900 penalty units this Schedule further reduces the availability of stored communications warrants by limiting access to stored communications to agencies that are criminal law-enforcement agencies 538 Currently access to telecommunications data is regulated by Chapter 4 of the TIA Act which permits enforcement agencies to authorise telecommunications carriers to disclose telecommunications data where that information is reasonably necessary for the enforcement of the criminal law a law imposing a pecuniary penalty or the protection of the public revenue An ‗enforcement agency‘ is broadly defined to include all interception agencies as well as a body whose functions include administering a law imposing a pecuniary penalty or administering a law relating to the protection of the public revenue In practice the range of agencies that are enforcement agencies and who can authorise the disclosure of telecommunications data is broad and includes local government councils and Commonwealth and State Departments and Agencies In 2012-13 approximately 80 enforcement agencies made historic data authorisations 16 539 Schedule 2 amends the existing definition of ‗enforcement agency‘ to limit access to telecommunications data to criminal law-enforcement agencies and authorities or bodies that have been declared by the Minister to be an ‗enforcement agency‘ These amendments are consistent with recommendation 5 of the 2013 PJCIS Report that the number of agencies able to access telecommunications data be reduced 540 These amendments are also consistent with Australia‘s international legal obligations under the Convention on Cybercrime Article 14 2 of the Cybercrime Convention17 requires parties to ensure that telecommunications data and other evidence in electronic form other than the content of communications and prospective or future telecommunications data is 16 Australian Government Attorney-General‘s Department 2013 Telecommunications Interception and Access Act 1979 Annual Report 2012-13 47-51 17 Opened for signature 23 November 2001 ETS 185 entered into force 1 July 2004 91 available for the investigation of any criminal offence 18 Schedule 2 complies with this obligation by ensuring that telecommunications data is available to agencies with a demonstrated need to access data 541 The data access arrangements contained in Schedule 2 are subject to new oversight and accountability requirements detailed in Schedule 3 of the Bill Together the Schedules introduce a new data access framework that better protects privacy while ensuring that data is available to investigate criminal offences and other activities that threaten community safety and security 542 Part 1 of this Schedule contains the main amendments to Chapters 3 and 4 These provisions restrict access to stored communications to criminal law enforcement agencies and amend the definition of ‗criminal law enforcement agency‘ and ‗enforcement agency‘ 543 Part 2 of this Schedule contains other amendments that are consequential to the amendments contained in Part 1 544 Part 3 of this Schedule prescribes the application of the amendments contained in Schedule 2 on their commencement PART 1—MAIN AMENDMENTS Telecommunications Interception and Access Act 1979 Item 1—Subparagraphs 107J 1 a i and ii 545 Subparagraph 107J 1 a i of the TIA Act enables any enforcement agency to issue a historic domestic preservation notice to a carrier to preserve specified stored communications held by a carrier on the day the notice is received Subparagraph 107J 1 a ii allows enforcement agencies that are also interception agencies to issue ongoing preservation notices Ongoing notices require carriers to keep relevant stored communications held by the carrier for up to 30 days from receipt of the notice The term ‗interception agency‘ is defined in section 5 of the TIA Act and is limited to agencies such as the Australian Federal Police and State Police Forces eligible to apply under Part 2-5 of the TIA Act for an interception warrant 546 Item 1 removes the references to an ‗enforcement agency‘ in subsection 107 J 1 of the TIA Act and substitute the new definition of a ‗criminal law-enforcement agency‘ in section 110A of the Act Amending the definition strengthens privacy protections in relation to stored communications by limiting the availability of historic domestic preservation notices to those agencies who can apply for stored communications warrants under the TIA Act as amended by this Schedule Ongoing domestic preservation notices continue to be limited to interception agencies Item 2—Subsection 110 1 547 Subsection 110 1 of the TIA Act provides that an enforcement agency may apply to an issuing authority for a stored communications warrant in respect of a person 18 See also Council of Europe Explanatory Report to the Convention on Cybercrime paragraph 141 92 548 Item 2 removes the reference to an ‗enforcement agency‘ in subsection 110 1 of the Act and substitute the new definition of a ‗criminal law-enforcement agency‘ in section 110A of the Act 549 Amending the definition reduces the number of agencies that can apply for stored communications warrants from all enforcement agencies that investigate serious contraventions to those authorities and bodies that are recognised under section 110A of the Act as being criminal law-enforcement agencies Item 3—After section 110 Section 110A—meaning of criminal law-enforcement agency 550 Currently criminal law-enforcement agencies can issue historic domestic preservation notices and access stored communications and prospective telecommunications data Agencies that fall within the broader definition of ‗enforcement agency‘ are also able to issue historic domestic preservation notices and apply for stored communications warrants 551 Item 3inserts a definition of ‗criminal law-enforcement agency‘ after section 110 of the TIA Act The definition removes the ability of enforcement agencies that are not also criminal law-enforcement agencies to issue historic domestic preservation notices under subsection 107J 1 and to apply for stored communications warrants under section 110 of the Act These amendments recognise that while governments at all levels have charged a range of authorities and bodies with responsibility for investigating or enforcing offences punishable by significant prison terms at least a three year term access to stored communications should be limited to agencies with a demonstrated investigative need and practices to safeguard the use and disclosure of information obtained under a stored communications warrant Subsection 110A 1 – meaning of criminal law-enforcement agency 552 Subsection 110A 1 provides that the following agencies authorities and bodies are ‗criminal law-enforcement agencies‘ a the Australian Federal Police b a Police Force of a State c the Australian Commission for Law Enforcement Integrity d the Australian Crime Commission e the Australian Customs and Border Protection Service ea the Australian Securities and Investments Commission eb the Australian Competition and Consumer Commission f the Crime Commission g the Independent Commission Against Corruption h the Police Integrity Commission i the Independent Broad-based Anti-corruption Commission j the Crime and Corruption Commission of Queensland k the Corruption and Crime Commission l the Independent Commissioner Against Corruption and 93 m subject to subsection 7 an authority or body for which a declaration under subsection 3 is in force 553 Section 110A includes all the interception agencies listed in the current definition of criminal law-enforcement agency in section 5 1 of the TIA Act The Australian Customs and Border Protection Service is included as it is prescribed by the Telecommunications Interception and Access Regulations 1987 to be a criminal law-enforcement agency for the purposes of paragraph k of the definition of ‗enforcement agency‘ in subsection 5 1 of the TIA Act 554 Paragraph 110A 1 m allows the Minister to declare authorities or bodies to be criminal law-enforcement agencies to accommodate the creation of any new agencies or any changes in agency functions over time 555 The inclusion of ASIC and ACCC as ‗criminal law-enforcement agencies‘ implements recommendation 20 of the 2015 PJCIS Report Subsections 110A 2 to 6 – Declaration of an authority or body as a criminal lawenforcement agency 556 Subsections 110A 2 to 9 allow the Minister to declare authorities or bodies to be ‗criminal law-enforcement agencies‘ for the purposes of paragraph 110A 1 m This power replaces paragraph k in the definition of enforcement agency in section 5 1 of the TIA Act that allows the Governor-General to make regulations prescribing an agency to be an enforcement agency Agencies that are prescribed under paragraph k are also criminal lawenforcement agencies for the purposes of the TIA Act 557 Under subsection 110A 2 the head of an authority or body is able to ask the Minister to declare the authority or body to be a criminal law-enforcement agency 558 Under paragraph 110A 3 a the Minister may declare an authority or body to be a criminal law-enforcement agency Paragraph 110A 3 b also enables the Minister to declare certain persons specified in the declaration to be ‗officers‘ of the criminal law-enforcement agency Under the TIA Act officers as defined in subsection 5 1 of the Act have various roles and responsibilities For example under section 110 of the TIA Act applications for stored communications warrants can be made on an agency‘s behalf by officers holding a management position in that agency Enabling persons to be declared as officers of a particular criminal law enforcement agency facilitates the effective operation of the TIA Act in relation to that agency 559 Subsection 110A 3A clarifies that the Minister may declare an authority or body to be a criminal law-enforcement agency under subsection 110A 3 even if the head of that authority or body has not made a request in accordance with subsection 110A 2 560 Subsection 110A 3B provides that the Minister may not declare an authority or body to be a criminal law-enforcement agency unless the Minister is satisfied on reasonable grounds that the authority or body has functions that include investigating serious contraventions The term ‗serious contravention‘ is defined in section 5E of the TIA Act 561 Subsection 110A 3B implements recommendation 17 of the 2015 PJCIS Report Subsection 110A 3B is intended to ensure that only agencies that investigate serious 94 contraventions can be declared criminal law-enforcement agencies and thereby be able to use the more intrusive powers of obtaining stored communications warrants or making an authorisation for the disclosure of prospective telecommunications data 562 Before making a declaration the Minister must consider the factors listed in paragraphs b - f of subsection 110A 4 The current regulation making power in relation to paragraph k of the definition of enforcement agency does not prescribe any factors that must be considered in making a decision whether or not to prescribe an agency Subsection 110A 4 ensures that authorities and bodies provide consistent and detailed information about their functions and privacy practices necessary to make an informed decision about an agency‘s need to access stored communications and the appropriateness of that agency having such information 563 Under paragraph 110A 4 c in considering whether to make a declaration the Minister must have regard to whether the authority or body is required to comply with the Australian Privacy Principles is required to comply with a binding scheme that provides protection of personal information that meets the requirements of subsection 4A or has agreed in writing to comply with a scheme providing such protection of personal information in relation to personal information disclosed to it under Chapter 3 or 4 if the declaration is made 564 Subsection 110A 4A operates in conjunction with subparagraphs 110A 4 c ii and iii by stating that the protection of personal information provided by the scheme must be comparable to the protection provided by the Australian Privacy Principles and include a mechanism for monitoring the authority‘s or body‘s compliance with the scheme and include a mechanism that enables an individual to seek recourse if his or her personal information is mishandled 565 These amendments require the Minister to be satisfied in considering whether to make a declaration of an ‗criminal law-enforcement agency‘ that the authority or body is required to comply with a binding scheme with the listed privacy-protection mechanisms These particular amendments implement recommendation 18 of the 2015 PJCIS Report 566 Subsection 110A 5 allow the Minister is able to consult with any persons or bodies the Minister considers should be consulted with before making a declaration under subsection 110A 4 The Minister can consult with the Privacy Commissioner and the Commonwealth Ombudsman but is not limited to consulting with those bodies 567 Subsection 110A 6 when read with subsection 110A 7 means that authorities and bodies may only be granted the status of a criminal law-enforcement agency or enforcement agency for certain powers available under Chapter 3 or Chapter 4 of the TIA Act Authorities may investigate a range of offences only some of which are serious contraventions under section 5E of the TIA Act serious contraventions are limited to offences punishable by a period or a maximum period of at least three years‘ imprisonment or an equivalent fine or pecuniary penalty In these circumstances the interaction of these two subsections means the 95 Minister could limit an authority‘s status as a criminal law enforcement agency to the offences with a three year or more imprisonment term 568 Decisions about declarations are not subject to review under the Administrative Decisions Judicial Review Act 1977 the ADJR Act as decisions under the TIA Act are not decisions to which the ADJR Act applies see paragraph d of Schedule 1 to the ADJR Act The exclusion of these decisions from the ADJR Act does not prevent decisions made under the TIA Act from being judicially reviewed under paragraph 75 v of the Constitution Declarations under subsection 110A 3 are also subject to parliamentary review as they are legislative instruments under the Legislative Instruments Act 2003 and can be disallowed under Part 5 of that Act 569 Subsection 110A 8 enables the Minster to revoke a declaration made under subsection 3 if the Minister is no longer satisfied that the circumstances justify the declaration remaining in force This provision addresses a shortfall in the current Act whereby agencies that meet the definition of a criminal law-enforcement agency retain that status even if their functions change Subsection 110A 8 ensures that only agencies with a demonstrated need for stored communications are able to obtain this information 570 of Under subsection 110A 9 the revocation of a declaration does not affect the validity a a domestic preservation notice given by the authority or body b a stored communications warrant issued to the authority or body that was in force immediately before the revocation took effect or c an authorisation made by an authorised officer of the authority or body under Division 4 of Part 4-1 571 This allows authorities and bodies to rely on notices and authorisations already issued or warrants already obtained for the duration of their independent validity period and protect carriers who act on a notice authorisation or a stored communications warrant before becoming aware of the revocation 572 Subsections 110A 10 and 110A 11 respond to recommendation 17 of the 2015 PJCIS Report 573 Paragraph 110A 10 a provides that a declaration comes into force either when it is made or on a later day specified in the declaration Paragraph 110A 10 b provides that the declaration ceases to be in force after 40 sitting days of either House of Parliament after the declaration comes into force The time to expiry of the declaration only commences once the declaration comes into force which may be later than when it is made 574 Subsection 110A 11 provides that when a Bill is introduced into either House of Parliament to amend the list of criminal law-enforcement agencies in the TIA Act the Minister must refer the amending Bill to the PJCIS and give the PJCIS at least 15 sitting days of a House of Parliament to conduct its review and issue its report 96 Item 4—Before section 177 Section 176A—meaning of enforcement agency 575 Item 4 inserts section 176A before section 177 of the TIA Act 576 Section 176A replaces the current definition of ‗enforcement agency‘ in subsection 5 1 of the TIA Act with a definition that limits the authorities and bodies that can access telecommunications data to criminal law-enforcement agencies and authorities and bodies declared under section 176A to be an enforcement agency 577 Currently the definition of ‗enforcement agency‘ in section 5 1 of the TIA Act provides that the following agencies are enforcement agencies a the Australian Federal Police b a Police Force of a State c the Australian Commission for Law Enforcement Integrity d the Australian Crime Commission e the Crime Commission f the Independent Commission Against Corruption g the Police Integrity Commission h the Independent Broad-based Anti-corruption Commission i the Crime and Misconduct Commission j the Corruption and Crime Commission ja the Independent Commissioner Against Corruption k an authority established by or under a law of the Commonwealth a State or a Territory that is prescribed by the regulations for the purposes of this paragraph l a body or organisation responsible to the Ministerial Council for Police and Emergency Management - Police m the CrimTrac Agency n any body whose functions include i administering a law imposing a pecuniary penalty or ii administering a law relating to the protection of the public revenue 578 The reference to ‗criminal law-enforcement agency‘ in paragraph 176A a replaces the agencies listed at paragraphs a to k in the current definition 579 Current paragraph l of the definition of ‗enforcement agency‘ is an open-ended description and is omitted from paragraph 176A Deleting this reference ensures that only agencies specifically listed in the section or declared to be enforcement agencies following consideration of the factors listed in paragraph 176A 4 can access telecommunications data 580 Current paragraph m which refers to the CrimTrac Agency is also deleted from the definition CrimTrac develops and maintains national police information sharing services between Australian law enforcement agencies particularly by delivering national database systems such as the National Child Sex Offender Register the National Automated Fingerprint Identification System and the National Criminal Investigation DNA Database CrimTrac does not however enforce laws by investigating and prosecuting specific instances of wrongdoing whether in a primary or supporting role 97 581 Current paragraph n is also removed from the definition Paragraph n is broad and increases the possibility that authorities and bodies that do not have a compelling current need to access telecommunications data may be able to authorise the disclosure of this information The definition as unamended by this Bill encompasses a wide range of Commonwealth State Territory and local government agencies as well as bodies such as the Royal Society for the Prevention of Cruelty to Animals that have law enforcement roles under State legislation Many of these bodies are responsible for investigating serious activities and behaviours For example under Queensland‘s Animal Care and Protection Act 2001 the offence of animal cruelty has a maximum penalty of 2 000 penalty units or 3 years imprisonment 582 While the existing arrangements limit who within an authority or body can access telecommunications data and for what purposes the scope of current paragraph n means that telecommunications data could potentially be available to a large number of agencies as the TIA Act does not have a clear mechanism for determining which authorities and bodies fall within the definition of an ‗enforcement agency‘ Section 176A addresses this issue by introducing a power at subsection 176A 3 for the Minister to declare a specific authority or body to be an enforcement agency for the purposes of the TIA Act Subsections 176A 2 to 7 – Declaration of an authority or body as an enforcement agency 583 Subsections 176A 2 to 7 sets out the process to be used by the Minister in considering whether to declare an authority or body to be an enforcement agency 584 Under subsection 176A 2 the head of an authority or body is able to request that the Minister declare the authority or body to be an enforcement agency 585 Under paragraph 110A 3 a the Minister may declare an authority or body to be a criminal law-enforcement agency Paragraph 176A 3 b also enables the Minister to declare certain persons specified in the declaration to be ‗officers‘ of the enforcement agency Under the TIA Act officers as defined in subsection 5 1 of the Act have various roles and responsibilities For example under section 185C of the TIA Act evidentiary certificates relating to acts by enforcement agencies may be issued by a certifying officer of that agency Enabling persons to be declared as officers of a particular enforcement agency facilitates the effective operation of the TIA Act in relation to that agency 586 Subsection 176A 3A clarifies that the Minister may declare an authority or body to be an enforcement agency under subsection 176A 3 even if the head of that authority or body has not made a request in accordance with subsection 176A 2 587 Subsection 176A 3B provides that the Minister may not declare an authority or body to be an enforcement agency unless the Minister is satisfied on reasonable grounds that the authority or body has functions that include or more of a enforcement of the criminal law b administering a law imposing a pecuniary penalty or c administering a law relating to the protection of the public revenue 588 Subsection 176A 3B implements the relevant part of recommendation 21 of the 2015 PJCIS Report Subsection 176A 3B is intended to ensure that only agencies that have the 98 functions referred to above can be declared enforcement agencies and thereby be able to access historic telecommunications data 589 The meaning of ‗enforcement of the criminal law‘ for the purposes of paragraph 176A 3B c include the process of investigating crime and prosecuting criminals It also includes precursory and secondary intelligence gathering activities which support the investigating and prosecution of suspected offences The term ‗criminal law‘ includes any Commonwealth State or Territory law that makes particular behaviour an offence punishable by fine or imprisonment 590 The reference to ‗pecuniary penalties‘ in paragraph 176A 3B a relates to penalties for breaches of Commonwealth State and Territory laws that are not prosecuted criminally or that impose a penalty which serves as an administrative alternative to prosecution often referred to as civil or administrative penalty provisions Pecuniary penalties for the purposes of this provision are not intended to encompass small-scale administrative fines 591 The concept of ‗public revenue‘ in paragraph 176A 3B b includes State and Territory revenue in addition to Commonwealth revenue Lawful obligations charged on a regular basis such as taxes levies rates and royalties are also included but occasional charges such as fines are not ‗Protecting the public revenue‘ also includes the activities of agencies and bodies undertaken to ensure that those lawful obligations are met for example routine collection audits investigatory and debt recovery actions 592 The term ‗revenue‘ is not intended to be limited to incoming monies from taxation but could also extend to ‗monies which belong to the Crown or monies to which the Crown has a right or monies which are due to the Crown‘ 19 The term ‗protection of public revenue‘ is intended to extend to protecting the revenue from which compensation or similar payments are paid including circumstances where it is sought to ensure that wrongful payments are not made out of that revenue The term does not include activities aimed at identifying and eliminating inefficient but lawful spending of public monies The concept of ‗administering‘ a law in subparagraphs 176A 4 a ii and iii also includes bodies whose functions include investigating possible breaches of relevant laws as this work plays an important role in carrying legislation into effect including by ensuring that the obligations imposed by the legislation are carried out 593 Before making a declaration the Minister must consider the factors listed in paragraphs b - f of subsection 176A 4 Subsection 176A 4 ensures that authorities and bodies provide consistent and detailed information about their functions and privacy practices necessary to make an informed decision about an authority‘s or body‘s need to access telecommunications data and the appropriateness of that authority or body having such information 594 Under paragraph 176A 4 c in considering whether to make a declaration the Minister must have regard to whether the authority or body i is required to comply with the Australian Privacy Principles ii is required to comply with a binding scheme that provides protection of personal information that meets the requirements of subsection 4A and 19 Stephens v Abrahams 1902 27 VLR 753 at 767 see also Lush v Coles 1967 2 All ER 585 at 588 99 iii has agreed in writing to comply with a scheme providing such protection of personal information in relation to personal information disclosed to it under Chapter 3 or 4 if the declaration is made 595 Subsection 176A 4A operates in conjunction with subparagraphs 176A 4 c ii and iii by stating that the protection of personal information provided by the scheme must a be comparable to the protection provided by the Australian Privacy Principles and b include a mechanism for monitoring the authority‘s or body‘s compliance with the scheme and c include a mechanism that enables an individual to seek recourse if his or her personal information is mishandled 596 The effect of these amendments is to require the Minister to be satisfied in considering whether to make a declaration of an ‗enforcement agency‘ that the authority or body is required to comply with a binding scheme with the listed privacy-protection mechanisms These particular amendments implement recommendation 22 of the 2015 PJCIS Report 597 Subsection 176A 5 means that the Minster can consult with any persons or bodies the Minister considers should be consulted before making a declaration under subsection 176A 4 The Minister can consult with the Privacy Commissioner and the Ombudsman but is not limited to consulting with those bodies 598 Subsection 176A 6 when read with subsection 176A 7 means that an authority or body may only be granted the status of an enforcement agency for certain powers available under Chapter 4 of the TIA Act For instance an authority‘s functions may include administering legislation that imposes pecuniary penalties of a minor degree as well as offences with significant penalties and terms of imprisonment In these circumstances the interaction of these two subsections means the Minister could limit an authority‘s ability to access telecommunications data to the offence with more significant penalties 599 Decisions about declarations are not subject to review under the Administrative Decisions Judicial Review Act 1977 the ADJR Act as decisions under the TIA Act are not decisions to which the ADJR Act applies see paragraph d of Schedule 1 to the ADJR Act The exclusion of these decisions from the ADJR Act does not prevent decisions made under the TIA Act from being judicially reviewed under paragraph 75 v of the Constitution Declarations under subsection 176A 3 are also subject to parliamentary review as they are legislative instruments under the Legislative Instruments Act 2003 and can be disallowed under Part 5 of that Act 600 Subsection 176A 8 enables the Minister to revoke a declaration made under subsection 3 if the Minister is no longer satisfied that the circumstances justify the declaration remaining in force Subsection 176A 8 ensures that only agencies with a demonstrated need for telecommunications data are able to authorise service providers to disclose this information 601 Under subsection 176A 9 revocation of a declaration does not affect the validity of an authorisation made by the authorised officer of an authority or body immediately before the revocation took effect This provision allows authorities and bodies to rely on 100 authorisations already issued and protects carriers who act on an authorisation before revocation 602 Subsections 176A 10 and 176A 11 respond to recommendation 21 of the 2015 PJCIS report 603 Paragraph 176A 10 a provides that the declaration enters into force either when it is made or on a later day specified in the declaration Paragraph 176A 10 b provides that the declaration ceases to be in force after 40 sitting days of either House of Parliament after the declaration comes into force The time to expiry of the declaration only commences once the declaration comes into force which may be later than when it is made 604 Subsection 176A 11 provides that when a Bill is introduced into either House of Parliament to amend the list of enforcement agencies in the TIA Act the Minister must refer the amending Bill to the PJCIS and give the PJCIS at least 15 sitting days of a House of Parliament to conduct its review and issue its report 101 PART 2—OTHER AMENDMENTS Telecommunications Interception and Access Act 1979 Item 5—Subsection 5 1 definition of Crime and Misconduct Commission 605 Subsection 5 1 of the TIA Act defines the term Crime and Misconduct Commission as meaning the Crime and Misconduct Commission of Queensland On 1 July 2014 the Crime and Misconduct Commission became the Crime and Corruption Commission under the Crime and Misconduct and Other Legislation Amendment Act 2014 Qld 606 Item 5 amends the definition of Crime and Misconduct Commission in subsection 5 1 of the TIA Act to recognise the Commission‘s change of name Item 6—Subsection 5 1 definition of criminal law-enforcement agency 607 Item 6 repeals the definition of ‗criminal law-enforcement agency‘ in subsection 5 1 of the TIA Act and replaces it with the definition of ‗criminal law-enforcement agency‘ in section 110A 608 Item 6 is consequential to Item 3 of Part 1 of Schedule 2 which inserts a definition of ‗criminal law-enforcement agency‘ in section 110A into the TIA Act Item 7—Subsection 5 1 definition of enforcement agency 609 Item 7 repeals the definition of ‗enforcement agency‘ in subsection 5 1 of the TIA Act and replaces it with the definition of ‗enforcement agency‘ in section 176A 610 Item 7 is consequential to Item 4 of Part 1 of Schedule 2 which inserts a definition of ‗enforcement agency‘ in section 176A into the TIA Act Item 8—Subsection 5 1 at the end of the definition of officer 611 Item 8 adds paragraphs n and o to the end of the definition of ‗officer‘ in subsection 5 1 of the TIA Act The definition of ‗officer‘ specifies the class of persons who may be taken to be officers of certain agencies eligible Commonwealth authorities or eligible authorities of a State 612 Paragraph n provides that for a criminal law enforcement agency for which a declaration under subsection 110A 3 is in force an officer is a person specified or of a kind specified in the declaration to be an officer of the criminal law enforcement agency for the purposes of the TIA Act This item is consequential to Item 3 of Part 1 of Schedule 2 which inserts a definition of ‗criminal law-enforcement agency‘ in section 110A into the TIA Act 613 Paragraph o provides that for an enforcement agency for which a declaration under subsection 176A 3 is in force an officer is a person specified or of a kind specified in the declaration to be an officer of the enforcement agency for the purposes of the TIA Act This is consequential upon Item 4 of Part 1 of Schedule 2 which inserts a definition of ‗enforcement agency‘ in section 176A into the TIA Act 102 614 Under Chapter 4 of the TIA Act only authorised officers of an enforcement agency can request telecommunications data from a carrier Officers must consider the privacy impacts of the disclosure or use of telecommunications information before making an authorisation and must also be satisfied that the disclosure is reasonably necessary for the enforcement of a relevant law Section 183 of the TIA Act requires that authorisations must be in a prescribed form and comply with any requirements made by the CAC a statutory position within the Attorney-General‘s Department currently filled by the First Assistant Secretary National Security Law and Policy Division These requirements are set out in the Telecommunications Interception and Access Authorisations Notifications and Revocations Determination 2012 Items 9 and 10—Section 107G 615 Section 107G of the TIA Act is an outline to Part 3-1A of the TIA Act which is about preserving stored communications Item 9 removes references to ‗an enforcement agency or the Organisation‘ in section 107G and substitute references to ‗a criminal law-enforcement agency or the Organisation‘ Item 10 removes references to ‗an interception agency or the Organisation‘ in section 107G and substitute references to a ‗criminal law-enforcement agency that is an interception agency or the Organisation‘ 616 Items 9 and 10 are consequential to Item 3 of Part 1 of Schedule 2 which inserts a new definition of ‗criminal law-enforcement agency‘ in section 110A into the TIA Act Item 11—Subsection 107J 1 heading 617 Section 107J of the TIA Act contains the heading ‗Notices given by enforcement agencies or interception agencies‘ 618 Item 11 repeals this heading and substitute the heading ‗Notices given by criminal law-enforcement agencies ‘ 619 Item 11 is consequential to Item 2 of Part 1 of Schedule 2 which deletes the reference to ‗an enforcement agency‘ in subsection 110 1 of the TIA Act Item 12—Paragraphs 107L 2 a 107M 1 a 2 a and 3 a 620 Sections 107L and 107M provide arrangements for revoking domestic preservation notices and who may give or revoke domestic preservation notices Item 12 repeals all references in those provisions to the term ‗enforcement agency‘ and substitute references to ‗a criminal law-enforcement agency‘ 621 Item 12 is consequential upon Item 2 of Part 1 of this Schedule which deletes the reference to ‗an enforcement agency‘ in subsection 110 1 Item 13—Part 3-3 heading 622 Part 3-3 is headed ‗Access by enforcement agencies to stored communications‘ 623 Item 13 deletes this heading and substitutes ‗Part 3-3—Access by criminal lawenforcement agencies to stored communications Item 13 is consequential to Item 2 of Part 1 103 of Schedule 2 which deletes the reference to ‗an enforcement agency‘ and substitute ‗a criminal law-enforcement agency‘ in subsection 110 1 of the TIA Act Item 14—Section 110 heading 624 Section 110 of the TIA Act is headed ‗110 Enforcement agencies may apply for stored communication warrants‘ Item 14 repeals this heading and substitutes the heading ‗110 Criminal law-enforcement agencies may apply for stored communications warrants‘ Item 14 is consequential to Item 2 of Part 1 of Schedule 2 which deletes the reference to ‗an enforcement agency‘ and substitute ‗a criminal law-enforcement agency‘ in subsection 110 1 of the TIA Act Items 15-33 35-36 38-39 41-47—omit references to ‘enforcement agency’ and ‘an enforcement agency’ and substitute references to ‘criminal law-enforcement agency’ and ‘a criminal law-enforcement agency’ 625 These items delete references to ‗enforcement agency‘ and ‗an enforcement agency‘s‘ as they appear in Chapter 3 of the TIA Act and substitutes them with references to ‗criminal law-enforcement agency‘ and ‗a criminal law-enforcement agency‘s‘ 626 These items are consequential to the amendments made by Item 2 of Part 1 of Schedule 2 which deletes the reference to ‗an enforcement agency‘ and substitutes ‗a criminal law-enforcement agency‘ in subsection 110 1 of the TIA Act Item 34—Section 130 heading 627 Section 130 of the TIA Act is headed ‗Evidentiary certificates relating to actions by criminal law-enforcement agencies‘ Item 34 repeals this heading and substitute the heading ‗130 Evidentiary certificates relating to actions by criminal law-enforcement agencies‘ 628 Item 34 is consequential to Item 2 of Part 1 of Schedule 2 which deletes the reference to ‗an enforcement agency‘ and substitutes ‗a criminal law-enforcement agency‘ in subsection 110 1 of the TIA Act Item 37—Subsection 135 1 heading 629 Subsection 135 1 of the TIA Act is headed ‗Communicating information to the appropriate enforcement agency‘ Item 37 repeals this heading and substitutes the heading ‗Communicating information to the appropriate criminal law-enforcement agency‘ 630 This amendment is consequential to Item 2 of Part 1 of Schedule 2 which deletes the reference to ‗an enforcement agency‘ and substitutes ‗a criminal law-enforcement agency‘ in subsection 110 1 of the TIA Act Item 40—Section 138 heading 631 Section 138 of the TIA Act is headed ‗Employee of carrier may communicate information to the enforcement agency‘ Item 40 repeals this heading and substitutes the heading ‗138 Employee of carrier may communicated information to the criminal lawenforcement agency‘ 104 632 Item 37 is consequential to Item 2 of Part 1 of Schedule 2 which deletes the references to ‗an enforcement agency‘ and substitutes ‗a criminal law-enforcement agency‘ in subsection 110 1 of the TIA Act Part 3—Application Provisions Item 48—Existing domestic preservation notices 633 Item 48 is a transitional provision that provides that existing domestic preservation notices continue to be in force after the commencement of Schedule 2 even if the authority or body that gave the notice is not able to give a notice under the TIA Act as amended because it is not a criminal law-enforcement agency This provision allows agencies to rely on notices already issued and ensures that carriers do not unlawfully access stored communications Item 49—Existing stored communications warrants 634 Item 49 is a transitional provision that provides that existing stored communications warrants continue to be in force after the commencement of Schedule 2 even if the authority or body that obtained the warrant is not able to obtain the warrant under the TIA Act as amended because it is not a criminal law enforcement agency This provision allows agencies to rely on warrants already issued and ensures that carriers do not unlawfully access stored communications Item 50—Existing authorisations 635 Item 50 is an application provision that provides that existing authorisations continue to be in force after the commencement of Schedule 2 even if the authority or body that made the authorisations is not able to make authorisations under the TIA Act as amended because it is no longer an enforcement agency 636 This provision allows agencies to rely on authorisations already issued and ensures that carriers do not unlawfully disclose information or documents the disclosure of which would otherwise be prohibited under section 276 277 or 278 of the Telecommunications Act 1997 Item 51—Evidentiary certificates 637 Item 51 is an application provision which ensures that evidentiary certificates do not become invalid upon the commencement of this Act Evidentiary certificates are received as evidence of facts in prosecutions and civil penalty court proceedings and the amendments contained in this item ensures that court proceedings are not adversely impacted by a change in an authority or body‘s status when this Act commences 638 Subitem 1 provides that an evidentiary certificate issued by an authority or body under section 107U or 130 of the TIA Act continues to be in force even if on the commencement of Schedule 2 the authority or body ceases to be a criminal law-enforcement agency 105 639 Subitem 2 provides that an evidentiary certificate issued by an authority or body under section 185C of the TIA Act continued to be in force even if on the commencement of Schedule 2 the authority or body ceases to be an enforcement agency 640 Subitem 3 provides that an authority or body that ceases to be a criminal law-enforcement agency upon the commencement of Schedule 2 is able to issue evidentiary certificates under section 107U or 130 of the TIA Act with respect to anything done before the commencement of Schedule 2 641 Subitem 4 provides that an authority or body that ceases to be an enforcement agency upon the commencement of Schedule 2 is able to issue evidentiary certificates under section 107U or 130 of the TIA Act with respect to anything done before the commencement of Schedule 2 106 SCHEDULE 3—OVERSIGHT BY THE COMMONWEALTH OMBUDSMAN Overview of measures 642 Schedule 3 implements the relevant part of recommendation 42 of the 2013 PJCIS Report that data retention legislation should include oversight of agencies‘ access to telecommunications data by the Ombudsman and the IGIS 643 Schedule 3 amends the TIA Act by inserting obligations to keep records in relation to the access of stored communications Chapter 3 of the TIA Act and telecommunications data Chapter 4 of the TIA Act The Bill inserts Chapter 4A to implement a comprehensive record-keeping inspection and oversight regime in relation to the issue of preservation notices by criminal law-enforcement agencies the access to and dealing with stored communications by criminal law-enforcement agencies and the access to and dealing with telecommunications data by criminal law-enforcement agencies and enforcement agencies 644 The record-keeping regime requires all Commonwealth State and Territory enforcement agencies to keep prescribed information and documents necessary to demonstrate that they have exercised their powers under Chapters 3 and 4 in accordance with their statutory obligations under the TIA Act The specificity of the oversight provisions is intended to provide sufficient clarity to enable agencies to be properly versed as to what the Ombudsman would require to be kept and made available at inspections 645 The inspection and oversight regime requires the Ombudsman to inspect and oversight the records of Commonwealth State and Territory agencies in order to assess compliance against the exercise of their powers under Chapters 3 and 4 of the TIA Act 646 Currently the TIA Act does not provide for independent oversight for the use of and access to telecommunications data by enforcement agencies Under the TIA Act the Ombudsman has limited audit functions to assess the compliance by agencies with record keeping and record destruction obligations in relation to the issue of preservation notices and access to stored communications While carrying out such an audit other compliance issues may come to the Ombudsman‘s attention but these would not expressly fall within the Ombudsman‘s existing inspection remit under the TIA Act While the Ombudsman is empowered to report on these additional compliance issues by virtue of the existing ‗incidental or conducive to the performance‘ of functions provision in section 152 the extent of the Ombudsman‘s power is not clearly delineated 647 The IGIS currently inspects and reports on access to telecommunications data by ASIO under the Inspector-General of Intelligence and Security Act 1986 648 The oversight regime is similar to the existing Ombudsman oversight model contained in Part 6 of the Surveillance Devices Act 2004 SD Act and enables comprehensive assessment of agency compliance with all of an enforcement agency‘s or a criminal law-enforcement agency‘s obligations under Chapters 3 and 4 of the TIA Act 107 including access to and use of telecommunications data which can be accessed on a historical basis sections 178 178A 179 and on a prospective or near-real time basis section 180 Oversight of this category of data by extension captures the set of telecommunications data that service providers are required to retain under subsection 187A of the Act 649 The provisions relating to the powers scope and reporting obligations of the oversight role are intended to enable the Ombudsman to provide public assurance and to enhance levels of transparency and public accountability These provisions also align with other oversight roles performed by the Ombudsman such as those performed under the SD Act and the Controlled Operations provisions in Part IAB of the Crimes Act 1914 650 Part 1 of this Schedule contains the main amendments to Chapters 3 and 4 as well as minor and consequential amendments to Chapters 1 and 2 These main amendments introduce new record-keeping obligations for criminal law-enforcement agencies and enforcement agencies and establish a comprehensive oversight regime administered by the Ombudsman for such agencies accessing stored communications and telecommunications data 651 Part 2 of this Schedule provides for how the amendments contained in Schedule 3 apply upon their commencement PART 1—AMENDMENTS Telecommunications Interception and Access Act 1979 Item 1—Subsection 5C 1 652 Item 1 amends section 5C of the TIA Act which defines when information or a question is relevant to an inspection by the Ombudsman The clause deletes the reference to ‗Part 3-5‘ in subsection 5C 1 of the TIA Act and substitutes a reference to Chapter 4A of the TIA Act 653 This is a technical amendment to ensure that the definition of when information or a question is relevant to an Ombudsman inspection refers to the provisions of the Act which pertain to Ombudsman oversight contained in Chapter 4A Item 2—At the end of section 87 654 Section 87 of the TIA Act sets out the powers the Ombudsman has to obtain relevant information in documentary or oral form in relation to an Ombudsman inspection of the use of interception powers by Commonwealth agencies in circumstances where the Ombudsman has reason to believe that an officer of an agency is able to give information relevant to an inspection under Part 2-7 and relating to that agency‘s records 655 This item inserts subsection 87 6 into the TIA Act that makes refusal to attend give information or to answer questions in relation to an inspection a criminal offence The penalty for an offence against subsection 87 6 is six months imprisonment 656 Subsection 87 6 mirrors subsection 186C 3 applicable to stored communications and telecommunications data in terms of the form of the offence and the applicable penalty 108 It is also broadly consistent with similar provisions under the Surveillance Devices Act 2004 section 56 and the Inspector-General of Intelligence and Security Act 1986 section 18 The offence provision is only enlivened in relation to officials of law enforcement agencies Such officials hold positions of public trust and exercise intrusive and covert powers under the TIA Act Public confidence in the justice system requires that officials are held to a higher standard of conduct particularly because there are fewer avenues to identify misconduct or systemic non-compliance in the telecommunications interception environment due to its covert nature Item 3—Section 134 657 This item amends section 134 of the TIA Act which sets out when a person may deal in preservation notice information or stored communications warrant information 658 The amendment provides that a person may deal in such information for the purposes of Chapter 4A of the TIA Act Oversight by the Commonwealth Ombudsman The purpose of this provision is to clarify that dealing with preservation notice information and stored communications information is permitted if it is for the purposes of an Ombudsman inspection under Chapter 4A of the TIA Act Item 4—Part 3-5 heading 659 This item repeals the heading to Part 3-5 ‗Keeping and inspection of preservation notices and access records‘ and substitutes a new heading ‗Keeping and inspection of records‘ The new heading is a technical amendment to reflect the amendments to Part 3-5 in the Bill While the current Part 3-5 of the Act contains both record keeping obligations on agencies and an inspection regime by the Ombudsman the amended Part 3-5 of the Act is limited to placing inspection obligations on criminal-law enforcement agencies although section 158A of the TIA Act will remain The change in the heading to Part 3-5 reflects this extended remit Item 5—Section 151 of Division 1 of Part 3-5 Obligation to keep records 660 This item repeals Divisions 1 and 2 of Part 3-5 and substitutes a new Division 1 of Part 3-5 661 Division 1 of Part 3-5 currently describes the records that enforcement agencies must keep in relation to their use of preservation notices and the use of powers to access stored communications 662 Division 2 of Part 3-5 currently sets out a regime for inspection of record keeping by enforcement agencies relating to preservation notices and access to stored communications 663 Repealing Divisions 1 and 2 and substituting new Division 1 is necessary so that auditing of stored communications can be undertaken in a manner consistent with the approach to the oversight of other powers exercisable under Chapter 4 of the TIA Act 664 Section 151 comprehensively sets out the information or documents that a criminal law-enforcement agency must retain to enable the Ombudsman to inspect the agency‘s records to determine the extent of its compliance with Chapter 3 of the TIA Act Chapter 3 of 109 the Act relates to issuing preservation notices and access to and dealing with stored communications 665 The purpose of section 151 is to ensure that agencies retain the records that the Ombudsman requires in order to carry out his or her inspection functions under Chapter 4A of the TIA Act 666 An agency meets the requirements of section 151 by retaining either the original or a copy of the relevant document 667 Subsection 151 2 provides that the Minister may by legislative instrument prescribe the kinds of documents and other materials that the chief officer of a criminal law-enforcement agency must cause to be kept in the agency‘s records The requirement for additional records to evidence compliance is prospective Any prescription of documents by legislative instrument will enable the record keeping list for the purpose of compliance assessment to expand over time if it is deemed additional record keeping requirements are required to enable the Ombudsman to determine agencies‘ compliance 668 Subsection 151 3 specifies how long agencies must retain records for compliance inspection purposes This provision requires agencies to retain the records referred to in subsection 151 1 and any documents or other materials prescribed under subsection 151 2 for a maximum of 3 years from when the document or record came into existence subparagraph 151 3 b i or until the Ombudsman gives a report to the Minister under section 186J about records including that particular record subparagraph 151 3 b ii whichever happens earlier Requiring agencies to keep records until the Ombudsman has made findings on and made reports in relation to those records meets the Ombudsman‘s requirements for when they no longer require the records for inspection purposes The maximum retention period of three years is consistent with the period currently contained in section 185 of the TIA Act for the retention of data authorisations made under Divisions 4 and 4A of Part 4-1 The approach also avoids imposition of arbitrary and discordant retention timeframes on agencies across record types Item 6—Section 186A Obligation to keep records 669 Section 186A sets out the information or documents that an enforcement agency must retain to ensure that the Ombudsman is able to inspect the agency‘s records to determine the extent of the agency‘s compliance with Chapter 4 of the TIA Act Chapter 4 of the Act relates to enforcement agencies‘ access to and dealing with telecommunications data 670 An agency meets the requirements of section 186A by retaining either the original or a copy of the relevant document 671 Subsection 186A 2 allows the Minister to prescribe the kinds of documents and other materials that a criminal law-enforcement agency must keep in addition to those specified under subsection 186A 1 A declaration will be a legislative instrument for the purposes of the Legislative Instruments Act 2003 Subsection 186A 2 operates in conjunction with paragraph 186A 1 j of the TIA Act which requires criminal law-enforcement agencies to retain such records 672 The purpose of subsection 186A 2 and related paragraph 186A 1 j is to require new classes of documentation to be kept in future as the new inspection regime develops It also 110 accommodates the addition of new types of documents to be retained if the powers and functions of relevant agencies and the Ombudsman change 673 Subsection 186A 3 specifies how long agencies must retain records for compliance inspection purposes This provision requires agencies to retain the records referred to in paragraphs 186A 1 a - i and other materials prescribed under subsection 186A 2 for a maximum of 3 years from when the document or record came into existence paragraph 186A 3 b i or when the Ombudsman gives a report to the Minister under section 186J about records that include that particular record paragraph 186A 3 b ii whichever happens earlier 674 Requiring agencies to keep records until the Ombudsman has made findings on and made reports in relation to those records would meets the Ombudsman‘s requirements for when they no longer require the records for inspection purposes The maximum of three years is consistent with the period currently contained in section 185 of the TIA Act for the retention of data authorisations made under Divisions 4 and 4A of Part 4-1 However the retention period referred to in subsection 186A 3 does not affect the operation of the retention period section 185 which does still apply Item 7—Chapter 4A Oversight by the Commonwealth Ombudsman 675 Item 7 inserts Chapter 4A before Chapter 5 of the TIA Act Chapter 4A sets out a new oversight regime for the Commonwealth Ombudsman Section 186B—Inspection of records 676 Section 186B establishes an inspection regime to enable the Ombudsman to inspect the records kept by enforcement agencies associated with the use of and access to telecommunications data and stored communications Sections 151 and 186A facilitate this inspection regime by requiring agencies to keep such records The role of the Ombudsman is to determine whether an agency is compliant with its obligations relating to the issue of preservation notices and access to stored communications under Chapter 3 and access to telecommunications data under Chapter 4 of the TIA Act 677 Subsection 186B 1 is not intended to require the Ombudsman nor to give the Ombudsman the power to inspect review or report on whether an issuing authority ought to have issued a stored communications warrant under section 116 of the TIA Act 678 Paragraph 186B 1 a requires the Ombudsman to inspect the records of enforcement agencies to determine the extent of their compliance with the exercise of statutory powers associated with telecommunications data access set out in Chapter 4 of the TIA Act 679 Access to telecommunications data by enforcement agencies has the potential to impact on the privacy of persons whose data is being accessed The comprehensive oversight regime for telecommunications data assists in ensuring that access to and the use and disclosure of telecommunications data by enforcement agencies including retained data under Chapter 4 of the TIA Act is subject to independent compliance assessment It also serves to provide an important level of public accountability and scrutiny of agency practices by virtue of the Ombudsman public reporting regime implemented in Chapter 4A 111 680 Paragraph 186B 1 b requires the Ombudsman to inspect the records of criminal lawenforcement agencies to determine the extent of their compliance with the requirements set out in Chapter 3 of the TIA Act in relation to the issue of preservation notices and the access to and dealing with stored communications It also requires the Ombudsman to inspect records of an enforcement agency to determine the extent of compliance with Chapter 4 by the agency and its officers 681 Tailored oversight provisions in relation to the use by agencies of preservation notices and their access to and dealing with stored communications are important inclusions in the Bill because the use of preservation notices by criminal law-enforcement agencies potentially impacts on individual privacy in that agencies can use such notices to ensure that carriers and carriage service providers preserve the private stored communications of persons where the agency intends to later apply for an interception or stored communications warrant to access those communications in connection with the investigation of a serious contravention and the access to and dealing with stored communications by criminal law-enforcement agencies also potentially impacts on individual privacy As such it is important that access to and dealing with such communications occurs only as permitted under the TIA Act 682 The purpose of an Ombudsman oversight regime in relation to preservation notices and stored communications is to ensure from a public accountability perspective that criminal law-enforcement agencies only use such powers strictly in accordance with the statutory requirements under Chapter 3 of the TIA Act The oversight regime is also intended to reassure the public that agencies are exercising these covert and intrusive powers in accordance with the law 683 Subsection 186B 2 provides that the Ombudsman for the purpose of an investigation under subsection 186B 2 can enter premises occupied by an agency at any reasonable time after notifying the chief officer of the agency The Ombudsman is then entitled to full and unimpeded access at all reasonable times to all records of the agency that are relevant to the Ombudsman‘s inspection The Ombudsman is entitled to make copies of and take extracts from the agency‘s records where relevant to the investigation The provision also gives the Ombudsman the power to require a member of staff of the agency to provide any information relevant to the inspection that is in their possession or to which the staff member has access 684 Subsection 186B 2 ensures that the Ombudsman has sufficient powers to carry out the Ombudsman‘s inspection functions under Chapter 4A in relation to agencies 685 Under subsection 186B 2 the Ombudsman is not restricted in the frequency with which the Ombudsman may inspect the records of an agency For example the Ombudsman could choose inspection cycles of twelve months six months three months or some other period to inspect the records of any particular agency This flexibility is intended to cater for the significant differences in the size structure functions and internal systems and procedures of the various criminal law-enforcement agencies the variable nature and flow of investigations and to ensure the new inspection regime is sufficiently responsive to differing contingencies encountered during an inspection Depending on the circumstances this may necessitate other adaptive approaches including for example staged or rolling inspection 112 programs a quarter-sized inspection four times a year or inspecting different field offices at different times if that was more convenient for the agency from an operational perspective or logistically more feasible The current stored communications inspection regime under the TIA Act and the regime under the SD Act do not cap the number of inspections and section 186B is consistent with those existing statutory frameworks 686 Subsection 186B 3 requires the Ombudsman to give the chief officer of an enforcement agency reasonable notice of an inspection under subsection 186B 2 687 Subsection 186B 4 requires the chief officer of an agency to ensure that his or her staff provide the Ombudsman with any assistance that the Ombudsman reasonably requires to enable the Ombudsman to perform his or her functions under section 186B The purpose of subsection 186B 4 is to ensure that agency staff provide reasonable cooperation to the Ombudsman in relation to the Ombudsman carrying out his or her statutory inspection functions 688 Subsection 186B 5 provides that subsection 186B 1 does not require the Ombudsman to inspect all of the information or documents which could conceivably come under the auspices of paragraphs 186B 1 a and b As subsection 186B 1 provides that the Ombudsman ‗must‘ inspect the records of an agency to determine the extent of compliance by the agency with Chapter 3 or Chapter 4 of the TIA Act subsection 186B 5 serves as an avoidance of doubt clause to qualify the directive obligation set out in section 186B 1 689 The purpose of this subsection is to make it clear that the Ombudsman can use any appropriate inspection methodology for example sampling as indicative of compliance across a particular record field or focusing the majority of the Ombudsman‘s attention on areas considered to be higher risk The subsection is also intended to clarify that the Ombudsman has the discretion to inspect records the Ombudsman considers to be appropriate in fulfilling his or her inspection functions under Chapter 4A and is not required to inspect every record held by an agency 690 In addition subsection 186B 5 is not intended to impact upon or result in a diminution of the Ombudsman‘s inspection function under subsection 186B 1 691 Subsection 186B 6 provides that the Ombudsman may choose to refrain from inspecting records of an agency that concern the obtaining or the execution of a stored communications warrant or telecommunications data authorisation while an ongoing operation is being conducted in relation to that warrant or authorisation 692 The purpose of subsection 186B 6 is to ensure that inspections do not interfere with the progress of a current operation This provision is intended to avoid inspections occurring at an intermediate juncture when operations being conducted under a stored communications warrant or an authorisation under Division 3 4 or 4A of Part 4-1 of the TIA Act are actively being progressed Inspecting records at these times could potentially hamper the conduct of proceedings or impede the progress of investigations Further the inspection results may be improperly calibrated because they would measure compliance before critical events have occurred in respect of the issuing or execution of a warrant or may occur during the course of obtaining an emergency or tracking device authorisation 113 Section 186C—Power to obtain relevant information 693 Section 186C empowers the Ombudsman to require an officer of an enforcement agency to provide information to the Ombudsman in writing signed by the officer at a specified place and within a specified period of time where the Ombudsman has reason to believe that the officer is able to give the information required 694 Section 186C ensures that the Ombudsman has sufficient power to carry out the Ombudsman‘s inspection functions under Chapter 4A and can acquire supplementary information where necessary to effectively conduct an investigation including by requiring officers of an agency to attend and answer relevant questions 695 Under paragraph 186C 1 a if the Ombudsman knows the officer‘s identity the Ombudsman must write to the officer in order to require the officer to provide the written information and or attend to answer questions 696 Paragraph 186C 1 b applies when the Ombudsman does not know the identity of the relevant officer in an agency In these circumstances the provision authorises the Ombudsman to write to the chief officer of an enforcement agency to require them or a person nominated by the chief officer to answer questions relevant to the inspection before a specified inspecting officer at a specified place and within a specified period or at a particular time on a particular day which is reasonable having regard to the circumstances 697 Subsection 186C 2 provides that the Ombudsman must specify a place and time for an officer to attend as required under subsection 186C 1 The place and time nominated must be reasonable in the circumstances 698 Subsection 186C 3 establishes an offence where a person refuses to attend before a person give information or answer questions when required to do so under section 186C The maximum penalty for the offence is imprisonment for six months 699 The purpose of an offence provision under subsection 186C 3 is to ensure that agency officers do not hinder the Ombudsman inspection functions under Chapter 4A of the TIA Act by unreasonably refusing to attend give information or answer questions as required It is also broadly consistent with similar provisions under the Surveillance Devices Act 2004 section 56 and the Inspector-General of Intelligence and Security Act 1986 section 18 The offence provision is only enlivened in relation to officials of law enforcement agencies Such officials hold positions of public trust and exercise intrusive and covert powers under the TIA Act Accordingly public confidence in the justice system requires that officials are held to a higher standard of conduct particularly because there are fewer avenues to identify misconduct or systemic non-compliance in the telecommunications interception environment due to its covert nature Section 186D—Ombudsman to be given information and access despite other laws 700 Section 186D provides that a person is to be given information and access to documents despite other laws including the laws of any State or Territory The purpose of this provision is to ensure that the Ombudsman is able to obtain all the information and documents required to carry out the Ombudsman‘s inspection functions under the TIA Act and that agency officers are not prevented by other laws from providing necessary information or assistance 114 701 Subsection 186D 1 provides that a person is not excused from giving information answering a question or giving access to a document disclosing information as required under Chapter 4A oversight by the Commonwealth Ombudsman of the TIA Act despite other matters which may otherwise bar the giving of that information 702 These matters are listed at paragraphs 186D 1 a to c and are that disclosure of the information would be a contravention of a law including the law of any State or Territory contrary to the public interest or might tend to incriminate the person or make the person liable to a penalty 703 Paragraph 186D 1 c abrogates the privileges against self-incrimination or selfexposure to a civil or administrative penalty hereinafter referred to together as ‗selfincrimination‘ in relation to the disclosure of information required under Chapter 4A 704 However subsection 186D 2 provides that the disclosed information cannot be used as evidence against the person who disclosed that information whether directly or indirectly a ‗use immunity‘ and ‗derivative use‘ immunity The use and derivative use immunity does not apply to prosecutions for offences against sections 133 181A 181B and 182 of the TIA Act or Part 7 4 or 7 7 of the Criminal Code 705 Section 133 of the TIA Act creates an offence of unlawful dealing in accessed stored communications under Chapter 3 Part 3-4 Division 1 of the TIA Act Sections 181A 181 and 182 create offences for unlawful dealing in telecommunications data authorisation information or unlawful secondary disclosure of accessed telecommunications data under Chapter 4 Part 4-1 Division 6 of the TIA Act Parts 7 4 false or misleading statements and Part 7 7 forgery and related offences of the Criminal Code create offences relating to hindering obstructing intimidating or resisting a public official in the performance of their functions 706 The use and derivative use immunity does not prevent the admission of disclosed information as evidence against a person other than the person who disclosed the information 707 The immunity is an important human right However the public interest in abrogating the privilege outweighs the interest in maintaining the privilege First the powers to access stored communications and telecommunications data are intrusive and covert powers the unlawful use or disclosure of which could potentially result in significant harm to individuals including a significant intrusion on their privacy There is therefore a strong public interest in the Ombudsman being the relevant oversight body for these powers to be able to compel an officer of an enforcement agency to reveal information that might indicate that stored communications or telecommunications data have been unlawfully used or disclosed even if doing so would show that the person had committed an offence or might be liable to a penalty 708 Second the integrity of the stored communications and telecommunications data regimes and public confidence therein are important in their own right The powers afforded to agencies under these regimes are key investigative tools for a range of serious criminal offences the investigation of which are manifestly in the public interest Officers exercising these powers are afforded a high degree of public trust given their intrusive and covert nature A serious breach of the integrity of the regime and or a loss of confidence therein including a loss of confidence based on a perception of a lack of integrity would create a serious risk that these powers would be fettered or removed to the detriment of agencies‘ 115 investigative capabilities It is therefore important that the Ombudsman have the power to compel an officer of an enforcement agency to reveal information that might indicate that stored communications or telecommunications data have been unlawfully used or disclosed and to be seen to have such a power even if doing so would show that the person had committed an offence or might be liable to a penalty 709 Third the abrogation of the privilege occurs within the context of a regulatory regime and applies only to people who are voluntarily subject to that regime being in all cases people who have chosen to be officers of enforcement agencies and in most cases officers who have chosen to be involved in or in relation to the exercise of these powers under Chapters 3 and 4 of the TIA Act 710 The harm to individual rights is minimised by the provision of a use and derivative use immunity The immunity is however limited and does not apply to proceedings for specific offences prosecutions and civil penalties under the TIA Act and certain Criminal Code offences 711 The regime contained in Chapter 4A strengthens oversight and accountability of agency access to stored communications and telecommunications data The benefit to the public of an effective oversight regime is high given the privacy sensitive nature of this information The disclosure of information to the Commonwealth Ombudsman and the ability to prosecute a person involved in wrongdoing under the TIA Act forms a core part of the inspection and oversight functions of the Ombudsman This function would be significantly impaired if persons were excused from providing self-incriminating information or if that information could not be used as evidence in TIA Act proceedings 712 Other laws do not prevent the disclosure of information for the purposes of an inspection Subsections 186D 3 and 4 provide that the unlawful disclosure provisions in sections 133 181A 181B or 182 of the TIA Act or in any other law do not prevent the disclosure of information to an inspecting officer of the Commonwealth Ombudsman for the purposes of an inspection under the oversight provisions contained in Chapter 4A 713 The purpose of provisions such as those in sections 133 181A 181B or 182 of the TIA Act is to protect the privacy of impact on persons whose information was accessed under the TIA Act Given the purpose of the oversight regime in ensuring that agencies access this privacy sensitive information in a lawful manner it is appropriate that the requirement to disclose information to the Ombudsman under section 186D overrides any other laws that prevent the disclosure of that information Subsection 186D 3 provides that nothing in sections 133 181A 181B or 182 of the TIA Act or any other law prevents an officer of an enforcement agency from providing information to an inspecting officer in any form or from providing access to records of the enforcement agency for the purposes of an inspection under Chapter 4A 714 Subsection 186D 4 provides that nothing in sections 133 181A 181B 182 of the TIA Act or any other law prevents an officer of an enforcement agency from making a record of information or causing such a record to be made for the purposes of giving the information to a person as permitted by subsection 186D 3 116 Section 186E—Application of Ombudsman Act 715 Section 186E sets out the interaction of the Ombudsman Act 1976 Cth the Ombudsman Act with the new Ombudsman oversight regime in Chapter 4A of the TIA Act This provision ensures that the specific powers and duties of the Ombudsman in Chapter 4A interact correctly and appropriately with the general powers and duties of the Ombudsman in the Ombudsman Act 716 Subsection 186E 1 provides that section 11A of the Ombudsman Act regarding the power of the Federal Court of Australia to determine matters concerning the Ombudsman‘s powers does not apply to the exercise of a power or function by the Ombudsman under Chapter 4A 717 Subsection 186E 2 provides that section 19 of the Ombudsman Act regarding annual reporting to Parliament does not apply to any act or omission of an Ombudsman inspecting officer under Chapter 4A 718 Subsection 186E 3 provides that subject to section 186D which provides that the Ombudsman is to be given information and access despite other laws sections 35 2 3 4 and 8 of the Ombudsman Act regarding the preservation of confidentiality of inspecting officers apply for the purposes of Chapter 4A Section 186F—Exchange of information between Ombudsman and State inspecting authorities 719 Section 186F allows the Ombudsman to develop more effective and consistent inspection arrangements with State and Territory inspection authorities including State or Territory Ombudsmen Section 186F ensures that the Ombudsman and State and Territory inspecting authorities including State and Territory Ombudsmen can exchange information with each other that is relevant to their inspection functions 720 Subsection 186F 1 enables the Ombudsman to give information that relates to an authority of a State or Territory which was obtained by the Ombudsman under the TIA Act to the inspecting authority in relation to the agency in the relevant State or Territory 721 Subsection 186F 2 qualifies subsection 186F 1 by providing that the information can only be passed where the Ombudsman believes the information is necessary for the inspecting authority to perform its functions in relation to the State or Territory agency 722 Subsection 186F 3 also provides that the Ombudsman can receive from an inspecting authority information relevant to the performance of the Ombudsman‘s functions under the TIA Act Section 186G—Delegation by Ombudsman 723 Section 186G provides for the Ombudsman‘s powers of delegation This provision ensures that members of the staff of the Ombudsman‘s office can perform the functions of the Ombudsman as required It is envisaged that the functions of the Ombudsman will be carried out by members of the Ombudsman‘s staff under a Carltona type delegation Carltona delegates would act in the name of the person making the delegation—the Ombudsman The 117 delegation provisions would not preclude the Ombudsman from making an ordinary statutory delegation of powers 724 Subsection 186G 1 provides that the Ombudsman may delegate the Ombudsman‘s powers under Chapter 4A to an Australian Public Service APS employee responsible to the Ombudsman which may include for example an employee of another APS agency seconded to the Ombudsman‘s office or an employee of a State or Territory oversight body that has similar oversight functions to the Commonwealth Ombudsman 725 Subsection 186G 1 also provides that the Ombudsman does not have the power to delegate the power to report to the Minister as set out in section 186J In addition the Ombudsman‘s power to delegate does not include the power of delegation set out in subsection 186G 1 726 A delegation by the Ombudsman under subsection 186G 1 does not prevent the exercise of that power by the Ombudsman 727 Subsection 186G 2 provides that a delegate must produce upon the request of any person affected by an exercise of power under a delegation under s186G 1 the instrument to the person or a copy of the instrument The delegate can satisfy this requirement by producing an electronic copy of the delegation Section 186H—Ombudsman not to be sued 728 Section 186H confers immunity from suit to the Ombudsman an inspecting officer or a person acting under an inspecting officer‘s authority for an act or omission made in good faith in the performance of the Ombudsman‘s inspection functions under Chapter 4A 729 Section 186H ensures that the Ombudsman and the Ombudsman‘s staff are able to perform their inspection functions under Chapter 4A without being impeded by the possibility of legal action However this immunity only applies if the inspection functions are being carried out in good faith Section 186J—Reports 730 Section 186J implements a new public reporting regime in relation to the Ombudsman‘s oversight functions set out under section 186B The Ombudsman is required to report on the results of its oversight functions relating to compliance by agencies generally with the requirements of Chapters 3 and 4 of the TIA Act relating to issue of preservation notices access to stored communications and access to telecommunications data 731 One of the purposes of section 186J is to ensure that the Ombudsman is able to make public the results of its inspections under Chapter 4A Public reporting by the Ombudsman is a key element in providing public accountability and transparency in relation to the use by agencies of their powers under Chapters 3 and 4 of the TIA Act It is also designed to reassure the public that agencies are using their powers under Chapters 3 and 4 of the TIA Act lawfully and appropriately 732 Subsection 186J 1 provides that the Ombudsman must provide a written report to the Minister containing the results of the inspections undertaken under section 186B of the TIA Act 118 733 Subsection 186J 2 provides that the Ombudsman must give the Minister the report as soon as practicable by the end of each financial year This gives the Ombudsman‘s inspectors some further latitude given the wide ranging compliance assessments that need to be conducted across a range of agencies against all powers potentially exercisable under Chapters 3 and 4 An extended timeframe may be required particularly with the introduction of the mandatory data retention regime which may collaterally impact upon the time needed to conduct and the complexity of compliance assessment 734 Subsection 186J 3 provides that a copy of the Ombudsman‘s report is to be tabled by the Minister before each House of Parliament within 15 sitting days of that House after the Minister has received the report 735 Subsection 186J 4 provides that the Ombudsman can report to the Minister at any time and also that the Minister may require the Ombudsman to do so The purpose of this provision is to clarify that the Ombudsman is not restricted to providing reports to the Minister only at twelve monthly intervals For example the Ombudsman could choose to report more frequently in relation to a particular agency This is consistent with the provisions in section 186B which provide that the Ombudsman may inspect the records of an agency at any time 736 Subsection 186J 4 also clarifies that the Minister can require the Ombudsman to report to the Minister on an inspection by the Ombudsman under Chapter 4A 737 Subsection 186J 5 provides that the Ombudsman can include in an inspection report any suspected contravention of the TIA Act by an officer of an enforcement agency the Ombudsman has inspected This provision ensures that the Ombudsman has a general power to report on purported contraventions of the TIA Act that the Ombudsman discovers in relation to its inspections under Chapter 4A of the Act 738 A suspected contravention reported by the Ombudsman does not as a matter of course give rise to or imply legal liability In complying with this section the Ombudsman is bound by the obligations imposed by sections 133 181B and 182 of the TIA Act Section 133 of the TIA Act creates an offence of unlawful dealing in accessed stored communications under Chapter 3 Part 3-4 Division 1 of the TIA Act Sections 181B and 182 create offences for unlawful dealing in telecommunications data authorisation information or unlawful secondary disclosure of accessed telecommunications data under Chapter 4 Part 4-1 Division 6 of the TIA Act 739 Subsection 186J 6 requires the Ombudsman to give a copy of a report to the chief officer of the relevant enforcement agency which is the subject of the report 740 Subsection 186J 7 provides that an Ombudsman‘s report must not contain information that could endanger a person‘s safety prejudice an investigation or prosecution or compromise an enforcement agency‘s lawful activities or methods The purpose of this provision is to ensure that the report does not contain security sensitive information or information which reveals law enforcement capability that should not be made public 119 PART 2—APPLICATION PROVISIONS 741 Part 2 of Schedule 3 contains application provisions in relation to Ombudsman inspections Ombudsman reports and the obligation by agencies to retain records for the purposes of Ombudsman inspections Item 8—Existing inspections by the Ombudsman 742 Item 8 is an application provision It provides that Ombudsman inspections in existence before the commencement of Schedule 3 but not yet completed are treated as Ombudsman inspections conducted as if they were being conducted under the regime in Chapter 4A of the TIA Act The provision also provides that anything done under the inspection before the commencement of Chapter 4A is deemed to have been done under Chapter 4A 743 This provision ensures that existing Ombudsman inspections still in progress prior to the commencement of the new inspection regime in Chapter 4A remain valid Item 9—Reports 744 Item 9 is an application provision It applies to Ombudsman inspections under the current section 152 of the TIA Act that had been completed prior to the commencement of the new inspection regime but which the Ombudsman had not yet reported on under current section 153 of the TIA Act The provision applies the reporting provisions in section 186J to these circumstances 745 This item ensures that the Ombudsman can still report on material for which it had completed an inspection under the current section 152 but had not yet been able to provide a report under current section 153 of the TIA Act Item 10—Obligation to keep records 746 Item 10 is an application provision It provides that the new record keeping provisions in relation to Ombudsman inspections in sections 151 and 186A do not apply to anything done before commencement of the new inspection regime in Chapter 4A of the TIA Act This provision clarifies that agencies are not required to comply with the more detailed record keeping obligations in sections 151 and 186A of the TIA Act in relation to their use of powers under Chapters 3 and 4 of the TIA Act prior to the commencement of the new Ombudsman inspection regime 747 The item also provides that the record keeping provisions in the current 150A of the TIA Act relating to preservation notices and section 151 of the TIA Act relating to stored communications access continue to apply to anything done prior to the commencement of the new inspection regime This ensures that enforcement agencies as that term applied under the TIA Act prior to the commencement of this legislation must comply with the record keeping provisions in current sections 150A and 151 of the TIA Act in relation to their use of powers in Chapter 3 of the TIA Act prior to the commencement of the new Ombudsman inspection regime 120