​​​​​​​
You are here: Skip breadcrumbAttorney-General's Department >> National security >> Data retention >> Frequently asked questions about the data retention obligations

Frequently asked questions about the data retention obligations

Why is it important for law enforcement and security agencies to lawfully access data?

Data plays a central role in almost all serious criminal and national security investigations, which is why it's so critical that our law enforcement and security agencies continue to have the ability to lawfully access this kind of data in connection with their investigations. For example, child exploitation investigations rely heavily on access to data as perpetrators primarily share information online.

Why does Australia have a data retention scheme?

Changing business models and technology meant that many telecommunications companies were no longer retaining some types of data, or were not retaining it long enough to be useful to law enforcement and security investigations. Inconsistent retention and lack of data hampered investigations and prevented perpetrators from being brought to justice.

Is the telecommunications industry required to retain the content of communications?

No. Industry is required to retain a limited range of data, which is information about a communication, but not the content or substance of a communication. For phone calls, data is information such as the phone numbers of the people talking to each other and how long they talked to each other for— not what they said. For email activity, data is information such as relevant email addresses and when it was sent—not the subject line of the email or its content.

Of particular importance to investigations is the Internet Protocol (IP) address allocated to a user's device (e.g. mobile phone or computer) by his or her internet service provider. This is a critical piece of data for law enforcement and security agencies because it enables them to match a device to a name. For example, a foreign police service may find a computer server that provides child pornography was accessed by IP addresses in Australia. In this case, the Australian Federal Police would seek information about which customer was using that particular IP address at that particular time.

Are internet service providers required to keep web-browsing histories?

No. Internet service providers are not required to retain a person's web-browsing history or any data that would amount to web-browsing history.

Is social media included in the retention scheme?

No. Australian internet service providers are not required to keep data about what a person does on social media in the same way they are not required to retain web browsing history.

Who can access the data?

Section 110A of the TIA Act states that only the following criminal law-enforcement agencies can apply for access retained data:

  • Australian Federal Police
  • a police force of a state
  • Australian Commission for Law Enforcement Integrity
  • Australian Criminal Intelligence Commission
  • subject to subsection (1A), the Immigration and Border Protection Department
  • Australian Securities and Investments Commission
  • Australian Competition and Consumer Commission
  • Independent Commission Against Corruption
  • Police Integrity Commission
  • Independent Broad-based Anti-corruption Commission
  • Crime and Corruption Commission
  • Corruption and Crime Commission
  • Independent Commissioner Against Corruption
  • or an authority or body for which a declaration is in force.

Why is data retained for two years?

The advice of law enforcement and security agencies is that a data retention period of two years is necessary to investigate complex and serious criminal matters. Most requests made by these agencies relate to straightforward and simple cases, which can be solved using data which is less than six months old. However, complex and serious cases—including many terrorism, espionage, organised crime, financial crime and public corruption cases—often involve lengthy investigations that require data older than six months.