This is an extract of Part 5-1A, sections 187 to 187P of the Telecommunications (Interception and Access) Act 1979.
Part 5‑1—Definitions
187 Definitions
(1)This section sets out the meaning of the following 2 important concepts used in this Chapter:
(a)interception capability (relating to obligations under Part 5‑3);
(b)delivery capability (relating to obligations under Part 5‑5).
These concepts do not overlap.
Interception capability
(2)In this Chapter, interception capability, in relation to a particular kind of telecommunications service that involves, or will involve, the use of a telecommunications system, means the capability of that kind of service or of that system to enable:
(a)a communication passing over the system to be intercepted; and
(b)lawfully intercepted information to be transmitted to the delivery points applicable in respect of that kind of service.
Delivery capability
(3)In this Chapter, delivery capability, in relation to a particular kind of telecommunications service that involves, or will involve, the use of a telecommunications system, means the capability of that kind of service or of that system to enable lawfully intercepted information to be delivered to interception agencies from the delivery points applicable in respect of that kind of service.
Part 5‑1A—Data retention
Division 1—Obligation to keep information and documents
187A Service providers must keep certain information and documents
(1)A person (a service provider) who operates a service to which this Part applies (a relevant service) must keep, or cause to be kept, in accordance with section 187BA and for the period specified in section 187C:
(a)information of a kind specified in or under section 187AA; or
(b)documents containing information of that kind;
relating to any communication carried by means of the service.
Note 1:Subsection (3) sets out the services to which this Part applies.
Note 2:Section 187B removes some service providers from the scope of this obligation, either completely or in relation to some services they operate.
Note 3:Division 3 provides for exemptions from a service provider’s obligations under this Part.
(3)This Part applies to a service if:
(a)it is a service for carrying communications, or enabling communications to be carried, by means of guided or unguided electromagnetic energy or both; and
(b)it is a service:
(i)operated by a carrier; or
(ii)operated by an internet service provider (within the meaning of Schedule 5 to the Broadcasting Services Act 1992); or
(iii)of a kind for which a declaration under subsection (3A) is in force; and
(c)the person operating the service owns or operates, in Australia, infrastructure that enables the provision of any of its relevant services;
but does not apply to a broadcasting service (within the meaning of the Broadcasting Services Act 1992).
(3A)The Minister may, by legislative instrument, declare a service to be a service to which this Part applies.
(3B)A declaration under subsection (3A):
(a)comes into force when it is made, or on such later day as is specified in the declaration; and
(b)ceases to be in force at the end of the period of 40 sitting days of a House of the Parliament after the declaration comes into force.
(3C)If a Bill is introduced into either House of the Parliament that includes an amendment of subsection (3), the Minister:
(a)must refer the amendment to the Parliamentary Joint Committee on Intelligence and Security for review; and
(b)must not in that referral specify, as the period within which the Committee is to report on its review, a period that will end earlier than 15 sitting days of a House of the Parliament after the introduction of the Bill.
(4)This section does not require a service provider to keep, or cause to be kept:
(a)information that is the contents or substance of a communication; or
Note:This paragraph puts beyond doubt that service providers are not required to keep information about telecommunications content.
(b)information that:
(i)states an address to which a communication was sent on the internet, from a telecommunications device, using an internet access service provided by the service provider; and
(ii)was obtained by the service provider only as a result of providing the service; or
Note:This paragraph puts beyond doubt that service providers are not required to keep information about subscribers’ web browsing history.
(c)information to the extent that it relates to a communication that is being carried by means of another service:
(i)that is of a kind referred to in paragraph (3)(a); and
(ii)that is operated by another person using the relevant service operated by the service provider;
or a document to the extent that the document contains such information; or
Note:This paragraph puts beyond doubt that service providers are not required to keep information or documents about communications that pass “over the top” of the underlying service they provide, and that are being carried by means of other services operated by other service providers.
(d)information that the service provider is required to delete because of a determination made under section 99 of the Telecommunications Act 1997, or a document to the extent that the document contains such information; or
(e)information about the location of a telecommunications device that is not information used by the service provider in relation to the relevant service to which the device is connected.
(5)Without limiting subsection (1), for the purposes of this section:
(a)an attempt to send a communication by means of a relevant service is taken to be the sending of a communication by means of the service, if the attempt results in:
(i)a connection between the telecommunications device used in the attempt and another telecommunications device; or
(ii)an attempted connection between the telecommunications device used in the attempt and another telecommunications device; or
(iii)a conclusion being drawn, through the operation of the service, that a connection cannot be made between the telecommunications device used in the attempt and another telecommunications device; and
(b)an untariffed communication by means of a relevant service is taken to be a communication by means of the service.
(6)To avoid doubt, if information that subsection (1) requires a service provider to keep in relation to a communication is not created by the operation of a relevant service, subsection (1) requires the service provider to use other means to create the information, or a document containing the information.
187AA Information to be kept
(1)The following table sets out the kinds of information that a service provider must keep, or cause to be kept, under subsection 187A(1):
|
|
|
|
|
|
|
1
|
The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service
|
The following:
(a) any information that is one or both of the following:
(i) any name or address information;
(ii) any other information for identification purposes;
relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service;
(b) any information relating to any contract, agreement or arrangement relating to the relevant service, or to any related account, service or device;
(c) any information that is one or both of the following:
(i) billing or payment information;
(ii) contact information;
relating to the relevant service, being information used by the service provider in relation to the relevant service;
(d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device;
(e) the status of the relevant service, or any related account, service or device.
|
|
2
|
The source of a communication
|
Identifiers of a related account, service or device from which the communication has been sent by means of the relevant service.
|
|
3
|
The destination of a communication
|
Identifiers of the account, telecommunications device or relevant service to which the communication:
(a) has been sent; or
(b) has been forwarded, routed or transferred, or attempted to be forwarded, routed or transferred.
|
|
4
|
The date, time and duration of a communication, or of its connection to a relevant service
|
The date and time (including the time zone) of the following relating to the communication (with sufficient accuracy to identify the communication):
(a) the start of the communication;
(b) the end of the communication;
(c) the connection to the relevant service;
(d) the disconnection from the relevant service.
|
|
5
|
The type of a communication or of a relevant service used in connection with a communication
|
The following:
(a) the type of communication;
Examples:Voice, SMS, email, chat, forum, social media.
(b) the type of the relevant service;
Examples:ADSL, Wi‑Fi, VoIP, cable, GPRS, VoLTE, LTE.
(c) the features of the relevant service that were, or would have been, used by or enabled for the communication.
Examples:Call waiting, call forwarding, data volume usage.
Note:This item will only apply to the service provider operating the relevant service: see paragraph 187A(4)(c).
|
|
6
|
The location of equipment, or a line, used in connection with a communication
|
The following in relation to the equipment or line used to send or receive the communication:
(a) the location of the equipment or line at the start of the communication;
(b) the location of the equipment or line at the end of the communication.
Examples:Cell towers, Wi‑Fi hotspots.
|
(2)The Minister may, by legislative instrument, make a declaration modifying (including by adding, omitting or substituting) the table in subsection (1), or that table as previously modified under this subsection.
(3)A declaration under subsection (2):
(a)comes into force when it is made, or on such later day as is specified in the declaration; and
(b)ceases to be in force at the end of the period of 40 sitting days of a House of the Parliament after the declaration comes into force.
(4)If a Bill is introduced into either House of the Parliament that includes an amendment of subsection 187A(4) or subsection (1) or (5) of this section, the Minister:
(a)must refer the amendment to the Parliamentary Joint Committee on Intelligence and Security for review; and
(b)must not in that referral specify, as the period within which the Committee is to report on its review, a period that will end earlier than 15 sitting days of a House of the Parliament after the introduction of the Bill.
(5)For the purposes of items 2, 3, 4 and 6 of the table in subsection (1) and any modifications of those items under subsection (2), 2 or more communications that together constitute a single communications session are taken to be a single communication.
187B Certain service providers not covered by this Part
(1)Subsection 187A(1) does not apply to a service provider (other than a carrier that is not a carriage service provider) in relation to a relevant service that it operates if:
(a)the service:
(i)is provided only to a person’s immediate circle (within the meaning of section 23 of the Telecommunications Act 1997); or
(ii)is provided only to places that, under section 36 of that Act, are all in the same area; and
(b)the service is not subject to a declaration under subsection (2) of this section.
(2)The Communications Access Co‑ordinator may declare that subsection 187A(1) applies in relation to a relevant service that a service provider operates.
(2A)Before making the declaration, the Communications Access Co‑ordinator may consult the Privacy Commissioner.
(3)In considering whether to make the declaration, the Communications Access Co‑ordinator must have regard to:
(a)the interests of law enforcement and national security; and
(b)the objects of the Telecommunications Act 1997; and
(ba)the objects of the Privacy Act 1988; and
(bb)any submissions made by the Privacy Commissioner because of the consultation under subsection (2A); and
(c)any other matter that the Communications Access Co‑ordinator considers relevant.
(4)The declaration must be in writing.
(5)A declaration made under subsection (2) is not a legislative instrument.
(6)As soon as practicable after making a declaration under subsection (2), the Communications Access Co‑ordinator must give written notice of the declaration to the Minister.
(7)As soon as practicable after receiving the notice under subsection (6), the Minister must give written notice of the declaration to the Parliamentary Joint Committee on Intelligence and Security.
187BA Ensuring the confidentiality of information
A service provider must protect the confidentiality of information that, or information in a document that, the service provider must keep, or cause to be kept, under section 187A by:
(a)encrypting the information; and
(b)protecting the information from unauthorised interference or unauthorised access.
187C Period for keeping information and documents
(1)The period for which a service provider must keep, or cause to be kept, information or a document under section 187A is:
(a)if the information is about, or the document contains information about, a matter of a kind described in paragraph (a) or (b) in column 2 of item 1 of the table in subsection 187AA(1)—the period:
(i)starting when the information or document came into existence; and
(ii)ending 2 years after the closure of the account to which the information or document relates; or
(b)otherwise—the period:
(i)starting when the information or document came into existence; and
(ii)ending 2 years after it came into existence.
(2)However, the regulations may prescribe that, in relation to a specified matter of a kind described in paragraph (a) or (b) in column 2 of item 1 of the table in subsection 187AA(1), the period under subsection (1) of this section is the period referred to in paragraph (1)(b) of this section.
(3)This section does not prevent a service provider from keeping information or a document for a period that is longer than the period provided under this section.
Note:Division 3 provides for reductions in periods specified under this section.
Division 2—Data retention implementation plans
187D Effect of data retention implementation plans
While there is in force a data retention implementation plan for a relevant service operated by a service provider:
(a)the service provider must comply with the plan in relation to communications carried by means of that service; but
(b)the service provider is not required to comply with subsection 187A(1) (or section 187BA or 187C) in relation to those communications.
187E Applying for approval of data retention implementation plans
(1)A service provider may apply to the Communications Access Co‑ordinator for approval of a data retention implementation plan for one or more relevant services operated by the service provider.
(2)The plan must specify, in relation to each such service:
(a)an explanation of the current practices for keeping, and ensuring the confidentiality of, information and documents that section 187A would require to be kept, if the plan were not in force; and
(b)details of the interim arrangements that the service provider proposes to be implemented, while the plan is in force, for keeping, and ensuring the confidentiality of, such information and documents (to the extent that the information and documents will not be kept in compliance with section 187A (and sections 187BA and 187C)); and
(c)the day by which the service provider will comply with section 187A (and sections 187BA and 187C) in relation to all such information and documents, except to the extent that any decisions under Division 3 apply.
(3)The day specified under paragraph (2)(c) must not be later than the day on which the plan would, if approved, cease to be in force under section 187H in relation to the service.
(4)The plan must also specify:
(a)any relevant services, operated by the service provider, that the plan does not cover; and
(b)the contact details of the officers or employees of the service provider in relation to the plan.
187F Approval of data retention implementation plans
(1)If, under section 187E, a service provider applies for approval of a data retention implementation plan, the Communications Access Co‑ordinator must:
(a)approve the plan and notify the service provider of the approval; or
(b)give the plan back to the service provider with a written request for the service provider to amend the plan to take account of specified matters.
(2)Before making a decision under subsection (1), the Communications Access Co‑ordinator must take into account:
(a)the desirability of achieving substantial compliance with section 187A (and sections 187BA and 187C) as soon as practicable; and
(b)the extent to which the plan would reduce the regulatory burden imposed on the service provider by this Part; and
(c)if, at the time the Co‑ordinator receives the application, the service provider is contravening section 187A (or section 187BA or 187C) in relation to one or more services covered by the application—the reasons for the contravention; and
(d)the interests of law enforcement and national security; and
(e)the objects of the Telecommunications Act 1997; and
(f)any other matter that the Co‑ordinator considers relevant.
(3)If the Communications Access Co‑ordinator does not, within 60 days after the day the Co‑ordinator receives the application:
(a)make a decision on the application, and
(b)communicate to the applicant the decision on the application;
the Co‑ordinator is taken, at the end of that period of 60 days, to have made the decision that the service provider applied for, and to have notified the service provider accordingly.
(4)A decision that is taken under subsection (3) to have been made in relation to a service provider that applied for the decision has effect only until the Communications Access Co‑ordinator makes, and communicates to the service provider, a decision on the application.
187G Consultation with agencies and the ACMA
(1)As soon as practicable after receiving an application under section 187E to approve a data retention implementation plan (the original plan), the Communications Access Co‑ordinator must:
(a)give a copy of the plan to the enforcement agencies and security authorities that, in the opinion of the Co‑ordinator, are likely to be interested in the plan; and
(b)invite each such enforcement agency or security authority to provide comments on the plan to the Co‑ordinator.
The Co‑ordinator may give a copy of the plan to the ACMA.
Request for amendment of original plan
(2)If:
(a)the Communications Access Co‑ordinator receives a comment from an enforcement agency or security authority requesting an amendment of the original plan; and
(b)the Co‑ordinator considers the request to be a reasonable one;
the Co‑ordinator:
(c)must request that the service provider make the amendment within 30 days (the response period) after receiving the comment or summary; and
(d)may give the service provider a copy of the comment or a summary of the comment.
Response to request for amendment of original plan
(3)The service provider must respond to a request for an amendment of the original plan either:
(a)by indicating its acceptance of the request, by amending the original plan appropriately and by giving the amended plan to the Communications Access Co‑ordinator within the response period; or
(b)by indicating that it does not accept the request and providing its reasons for that non‑acceptance.
The ACMA’s role
(4)If the service provider indicates that it does not accept a request for an amendment of the original plan, the Communications Access Co‑ordinator must:
(a)refer the request and the service provider’s response to the ACMA; and
(b)request the ACMA to determine whether any amendment of the original plan is required.
(5)The ACMA must then:
(a)determine in writing that no amendment of the original plan is required in response to the request for the amendment; or
(b)if, in the opinion of the ACMA:
(i)the request for the amendment is a reasonable one; and
(ii)the service provider’s response to the request for the amendment is not reasonable;
determine in writing that the original plan should be amended in a specified manner and give a copy of the determination to the service provider.
Co‑ordinator to approve amended plan or to refuse approval
(6)The Communications Access Co‑ordinator must:
(a)if, on receipt of a determination under paragraph (5)(b), the service provider amends the original plan to take account of that determination and gives the amended plan to the Communications Access Co‑ordinator—approve the plan as amended, and notify the service provider of the approval; or
(b)otherwise—refuse to approve the plan, and notify the service provider of the refusal.
ACMA determination not a legislative instrument
(7)A determination made under subsection (5) is not a legislative instrument.
187H When data retention implementation plans are in force
(1)A data retention implementation plan for a relevant service operated by a service provider:
(a)comes into force when the Communications Access Co‑ordinator notifies the service provider of the approval of the plan; and
(b)ceases to be in force in relation to that service:
(i)if the service provider was operating the service at the commencement of this Part—at the end of the implementation phase for this Part; or
(ii)if the service provider was not operating the service at the commencement of this Part—at the end of the period of 18 months starting on the day the service provider started to operate the service after that commencement.
(2)The implementation phase for this Part is the period of 18 months starting on the commencement of this Part.
187J Amending data retention implementation plans
(1)If a service provider’s data retention implementation plan is in force, it may be amended only if:
(a)the service provider applies to the Communications Access Co‑ordinator for approval of the amendment, and the Co‑ordinator approves the amendment; or
(b)the Co‑ordinator makes a request to the service provider for the amendment to be made, and the service provider agrees to the amendment.
(2)Section 187F applies in relation to approval of the amendment under paragraph (1)(a) as if the application for approval of the amendment were an application under section 187E for approval of a data retention implementation plan.
(3)An amendment of a data retention implementation plan:
(a)comes into force when:
(i)if paragraph (1)(a) applies—the Co‑ordinator notifies the service provider of the approval of the amendment; or
(ii)if paragraph (1)(b) applies—the service provider notifies the Co‑ordinator of the service provider’s agreement to the amendment; but
(b)does not effect when the plan ceases to be in force under paragraph 187H(1)(b).
Division 3—Exemptions
187K The Communications Access Co‑ordinator may grant exemptions or variations
Decision to exempt or vary
(1)The Communications Access Co‑ordinator may:
(a)exempt a specified service provider from the obligations imposed on the service provider under this Part, either generally or in so far as they relate to a specified kind of relevant service; or
(b)vary the obligations imposed on a specified service provider under this Part, either generally or in so far as they relate to a specified kind of relevant service; or
(c)vary, in relation to a specified service provider, a period specified in section 187C, either generally or in relation to information or documents that relate to a specified kind of relevant service.
A variation must not impose obligations that would exceed the obligations to which a service provider would otherwise be subject under sections 187A and 187C.
(2)The decision must be in writing.
(3)The decision may be:
(a)unconditional; or
(b)subject to such conditions as are specified in the decision.
(4)A decision made under subsection (1) is not a legislative instrument.
Effect of applying for exemption or variation
(5)If a service provider applies in writing to the Communications Access Co‑ordinator for a particular decision under subsection (1) relating to the service provider:
(a)the Co‑ordinator:
(i)must give a copy of the application to the enforcement agencies and security authorities that, in the opinion of the Co‑ordinator, are likely to be interested in the application; and
(ii)may give a copy of the application to the ACMA; and
(b)if the Co‑ordinator does not, within 60 days after the day the Co‑ordinator receives the application:
(i)make a decision on the application, and
(ii)communicate to the applicant the decision on the application;
the Co‑ordinator is taken, at the end of that period of 60 days, to have made the decision that the service provider applied for.
(6)A decision that is taken under paragraph (5)(b) to have been made in relation to a service provider that applied for the decision has effect only until the Communications Access Co‑ordinator makes, and communicates to the service provider, a decision on the application.
Matters to be taken into account
(7)Before making a decision under subsection (1) in relation to a service provider, the Communications Access Co‑ordinator must take into account:
(a)the interests of law enforcement and national security; and
(b)the objects of the Telecommunications Act 1997; and
(c)the service provider’s history of compliance with this Part; and
(d)the service provider’s costs, or anticipated costs, of complying with this Part; and
(e)any alternative data retention or information security arrangements that the service provider has identified.
(8)The Communications Access Co‑ordinator may take into account any other matter he or she considers relevant.
187KA Review of exemption or variation decisions
(1)A service provider may apply in writing to the ACMA for review of a decision under subsection 187K(1) relating to the service provider.
(2)The ACMA must:
(a)confirm the decision; or
(b)substitute for that decision another decision that could have been made under subsection 187K(1).
A substituted decision under paragraph (b) has effect (other than for the purposes of this section) as if it were a decision of the Communications Access Co‑ordinator under subsection 187K(1).
(3)Before considering its review of the decision under subsection 187K(1), the ACMA must give a copy of the application to:
(a)the Communications Access Co‑ordinator; and
(b)any enforcement agencies and security authorities that were given, under subparagraph 187K(5)(a)(i), a copy of the application for the decision under review; and
(c)any other enforcement agencies and security authorities that, in the opinion of the ACMA, are likely to be interested in the application.
Matters to be taken into account
(4)Before making a decision under subsection (2) in relation to a service provider, the ACMA must take into account:
(a)the interests of law enforcement and national security; and
(b)the objects of the Telecommunications Act 1997; and
(c)the service provider’s history of compliance with this Part; and
(d)the service provider’s costs, or anticipated costs, of complying with this Part; and
(e)any alternative data retention or information security arrangements that the service provider has identified.
(5)The ACMA may take into account any other matter it considers relevant.
Division 4—Miscellaneous
187KB Commonwealth may make a grant of financial assistance to service providers
(1)The Commonwealth may make a grant of financial assistance to a service provider for the purpose of assisting the service provider to comply with the service provider’s obligations under this Part.
(2)The terms and conditions on which that financial assistance is granted are to be set out in a written agreement between the Commonwealth and the service provider.
(3)An agreement under subsection (2) may be entered into on behalf of the Commonwealth by the Minister.
187L Confidentiality of applications
(1)If the Communications Access Co‑ordinator receives a service provider’s application under section 187E for approval of a data retention implementation plan, or application for a decision under subsection 187K(1), the Co‑ordinator must:
(a)treat the application as confidential; and
(b)ensure that it is not disclosed to any other person or body (other than the ACMA, an enforcement agency or a security authority) without the written permission of the service provider.
(1A)If the ACMA receives a service provider’s application under section 187KA for review of a decision under subsection 187K(1), the ACMA must:
(a)treat the application as confidential; and
(b)ensure that it is not disclosed to any other person or body (other than the Communications Access Co‑ordinator, an enforcement agency or a security authority) without the written permission of the service provider.
(2)The ACMA, the Communications Access Co‑ordinator, an enforcement agency or a security authority must, if it receives under subsection 187G(1), paragraph 187K(5)(a) or subsection 187KA(3) a copy of a service provider’s application:
(a)treat the copy as confidential; and
(b)ensure that it is not disclosed to any other person or body without the written permission of the service provider.
187LA Application of the Privacy Act 1988
(1)The Privacy Act 1988 applies in relation to a service provider, as if the service provider were an organisation within the meaning of that Act, to the extent that the activities of the service provider relate to retained data.
(2)Information that is kept under this Part, or information that is in a document kept under this Part is taken, for the purposes of the Privacy Act 1988, to be personal information about an individual if the information relates to:
(a)the individual; or
(b)a communication to which the individual is a party.
187M Pecuniary penalties and infringement notices
Subsection 187A(1) and paragraph 187D(a) are civil penalty provisions for the purposes of the Telecommunications Act 1997.
Note:Parts 31 and 31B of the Telecommunications Act 1997 provide for pecuniary penalties and infringement notices for contraventions of civil penalty provisions.
187N Review of operation of this Part and the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018
(1)The Parliamentary Joint Committee on Intelligence and Security must review the operation of this Part and the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.
(1A)The review:
(a)must start on or before the second anniversary of the end of the implementation phase; and
(b)must be concluded on or before the third anniversary of the end of the implementation phase.
(2)The Committee must give the Minister a written report of the review.
(3)Until the review is completed, the head (however described) of an enforcement agency must keep:
(a)all of the documents that he or she is required to retain under section 185; and
(b)all of the information that he or she is required, by paragraphs 186(1)(e) to (k), to include in a report under subsection 186(1);
relating to the period starting on the commencement of this Part and ending when the review is completed.
(4)Until the review is completed, the Director‑General of Security must keep:
(a)all of the authorisations made under Division 3 of Part 4‑1; and
(b)all of the information that he or she is required, by paragraphs 94(2A)(c) to (j) of the Australian Security Intelligence Organisation Act 1979, to include in a report referred to in subsection 94(1) of that Act;
relating to the period starting on the commencement of this Part and ending when the review is completed.
(5)Subsections (3) and (4) do not limit any other obligation to keep information under this Act or another law.
187P Annual reports
(1)The Minister must, as soon as practicable after each 30 June, cause to be prepared a written report on the operation of this Part during the year ending on that 30 June.
(1A)Without limiting the matters that may be included in a report under subsection (1), it must include information about:
(a)the costs to service providers of complying with this Part; and
(b)the use of data retention implementation plans approved under Division 2 of this Part.
(2)A report under subsection (1) must be included in the report prepared under subsection 186(2) relating to the year ending on that 30 June.
(3)A report under subsection (1) must not be made in a manner that is likely to enable the identification of a person.