The Australian Government is committed to providing our law enforcement and security agencies with the tools they need to keep our community safe by requiring the telecommunications industry to retain a limited set of metadata for two years.
Data retention does not provide new powers for agencies to access metadata. It simply obliges telecommunications companies to retain and secure a limited set of records for two years. This will ensure that Australia’s law enforcement and security agencies are able to continue to have lawful access to metadata, subject to strict controls.
In fact, data retention will be supported by existing as well as new safeguards, oversight and accountability mechanisms, including:
- significantly limiting the range of agencies permitted to access metadata
- introducing comprehensive, independent oversight of Commonwealth, state and territory law enforcement agencies by the Commonwealth Ombudsman
- introducing new requirements for the Attorney-General’s Department to publicly report on the operation of the data retention scheme each year
- introducing a new journalist information warrant regime, which requires ASIO and enforcement agencies to obtain a warrant prior to authorising disclosure of telecommunications data to identify a journalist’s source
- establishing Public Interest Advocates (PIAs) that may make submissions in relation to journalist information warrants
- a mandatory review of the data retention scheme by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) within three years of the scheme being fully implemented.
The independent Inspector-General of Intelligence and Security will continue to oversight access to metadata by the Australian Security Intelligence Organisation (ASIO), and the Privacy Commissioner will continue to assess industry’s compliance with the Australian Privacy Principles as well as monitoring industry’s non-disclosure obligations under the Telecommunications Act.
The Parliamentary Joint Committee on Intelligence and Security will review the operation of the mandatory data retention scheme in four years.
The following fact sheet with more information is available to download:
If you are a service provider, you may be subject to data retention obligations. To assist industry in meeting the upfront costs of implementing the mandatory data retention regime, the Australian Government has committed up to $128.4 million to the Data Retention Industry Grants Programme.
For more information on data retention obligations and the Data Retention Industry Grants Programme visit the Industry implementation of data retention page.
Metadata is information about a communication (the who, when, where and how)—not the content or substance of a communication (the what).
For phone calls, metadata includes the phone numbers of the people talking to each other and how long they talked—not what they said.
For internet activity, metadata is information such as an email address and when it was sent—not the subject line of an email or its content.
The Australian Government is not requiring industry to retain a person’s web-browsing history or any data that may amount to a person’s web-browsing history.
Metadata is used in almost every serious criminal or national security investigation, including murder, counter-terrorism, counter-espionage, sexual assault and kidnapping cases. Agencies use metadata to help:
- quickly rule innocent people out from suspicion and further investigation, for example by showing they had not been in contact with other suspects
- identify suspects and networks of criminal associates
- support applications to use more complex and intrusive tools, such as a warrant to intercept the content of communications
- provide evidence in prosecutions.
Australian telecommunications companies must keep a limited set of metadata which is information about the circumstance of a communication for two years. It is not the content of the communication and web-browsing history is specifically excluded from the scheme. The legislation also requires telecommunications companies to secure the stored data by encrypting it and preventing unauthorised access.
The set of metadata required to be retained and secured is defined by reference to the following six types of information: the identity of the subscriber to a communications service; the source of the communication; the destination of the communication; the date, time and duration of the communication; the type of the communication; and the location of the equipment used in the communication.
Australia needs a data retention scheme because telecommunications companies are retaining less data and keeping it for a shorter time. This is degrading the investigative capabilities of law enforcement and security agencies and, in some cases, has prevented serious criminals from being brought to justice.
On 30 October 2014, the government introduced the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, an important next step in giving our law enforcement and security agencies the tools they need to keep Australia safe. The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 passed the Parliament on 26 March 2015 and received Royal Assent on 13 April 2015.
The data set is enshrined in the legislation and was developed in consultation with industry. An Implementation Working Group will continue to support implementation of the scheme. This group includes representatives from industry and government.
A copy of the data set is available to download below:
Protecting personal information for Australians is essential.
Data retained by industry under the mandatory data retention regime is protected as personal information for the purposes of the Privacy Act and the Australian Privacy Principles (APPs). As such, the Privacy Commissioner will assess industry compliance with the APPs, as well as monitoring industry’s non-disclosure obligations under the Telecommunications Act.
The Attorney-General’s Department has engaged PricewaterhouseCoopers (PwC) to cost the implementation of the proposed data retention regime in consultation with industry. PwC estimated the upfront capital cost of the regime to all of business to be between $188.8 million and $319.1 million, which is less than 1 per cent of the $43 billion in revenue generated by the telecommunications industry annually. This estimate will inform the Australian Government in delivering on its commitment to make a reasonable contribution to the capital costs of implementation of the data retention regime.