On Tuesday 13 October 2015, the amendments to the Telecommunications (Interception and Access) Act 1979 came into effect. The amendments are more commonly known as the “Data Retention Regime” and were passed as a security measure to aid in the investigation of terrorism and serious crimes.
How does it affect your business?
The Data Retention Regime applies to telecommunications companies (telcos) and certain internet service providers (ISPs). Telcos and ISPs are required to store a range of metadata for up to two years. The metadata that is required to be stored includes data associated with communications via email, mobile phones and landlines. Web browsing history is specifically excluded from the regime and data associated with third-party services (e.g. Facebook, Skype and WhatsApp) are also excluded.
Unless you are a telco or ISP, you are not under any data retention obligations as a result of the Data Retention Regime. Agencies in the communications space do not have any new obligations as a result of the introduction of the Data Retention Regime. However, if you are a telco or ISP, we recommend that you seek legal advice in determining the extent to which you have data retention obligations under the regime and the most effective way to comply with the amendments to the law.
The metadata collected by telcos and ISPs will include metadata contained in business communications. But what exactly is metadata? There is currently no definition provided in the Telecommunications (Interception and Access) Act 1979 and it is difficult to provide a definition that covers all types of metadata. It can be described as a set of data that is created when electronic communications and other activities over the internet and phone lines are conducted. It is a set of data that creates a map or a log of activity rather than data that provides detail of the contents of communications.
The metadata required to be retained by telcos and ISPs under the Data Retention Regime is grouped into six categories of information:
- type of communication;
- identity of the customer involved in a communications service;
- source of the communication;
- destination of the communication;
- date, time and duration of the communication; and
- location of the equipment used in the communication
The metadata to be retained will be protected as personal information under the Privacy Act 1988 and the Australian Privacy Principles (APPs) if the organisation has the capacity and resources to link that information to an individual/identify an individual.
Reminder: obligations under the Privacy Act 1988
Although your business may not be under any requirement to retain data as a result of the Data Retention Regime, this is an opportune time for a refresher on business obligations in regards to storage and security under the Australian Privacy Principles (APPs).
The APPs do not provide any time limits on the length of time personal information should be retained for. However, APP 11 –security of personal information, places an obligation on an APP entity to take reasonable steps to destroy or de-identify personal information that is no longer required. Exceptions to this destroy or de-identify obligation include personal information contained within a Commonwealth record and compliance with a court/tribunal order. APP 11 also places an obligation on APP entities to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access and unauthorised disclosure.
What steps are considered to be reasonable will depend on the circumstances which may include the entity’s size, resources, the sensitivity of the personal information, possible consequences of a breach and practicality. The Office of the Australian Information Commissioner (OAIC) has placed a large focus on governance, culture and staff training and it is important that a good compliance program is in place within your organisation.
There is currently no mandatory reporting for data breaches under the Privacy Act 1988 however the Federal Government has indicated that they plan to introduce a mandatory data breach notification scheme in the near future. In the meantime, the OAIC has provided a breach notification guide which is useful in shaping your corporate policies and compliance framework.
If you have questions about how privacy or data retention affect your business, please do not hesitate to get in touch on (02) 8221 0933.