Chapter 3
Key issues
3.1
The Committee received 7 submissions to the inquiry which canvassed a
number of different issues. While there were very few issues that were raised
by more than one submitter, generally the concerns related to either how intercepted
information could be used or the adequacy of the destruction requirements for
records of intercepted communications.
Use of intercepted information
3.2
The proposed exemptions from the prohibition on intercepting
communications that are passing over a telecommunications network apply
differently to different types of organisations. Broadly, both government and
non-government owners and operators of computer networks will be able to
intercept communications for 'network protection duties'. However, only certain
government agencies will be allowed to use intercepted communications for
'disciplinary action'. Various submitters raised concerns about how well these
two terms were defined. The majority of other issues raised during the inquiry
relate when information that has been intercepted must or may be disclosed.
'Network Protection Duties'
3.3
Generally, the proposed arrangements would allow authorised persons
within any organisation that owns or operates a network to intercept
communications for 'network protection duties'. The Office of the Privacy
Commissioner (OPC) called for a more precise explanation for what constitutes
'network protection duties':
The [OPC] suggests that the legislation could provide additional
guidance on the operation of the provisions to assist organisations to train authorised
persons about what actions are lawfully permitted to be undertaken under the scheme
(including clause 11). For example, what measures are covered by ‘the
operation, protection or maintenance of the network’ and when is an
interception ‘reasonably necessary’?[1]
3.4
The Attorney-General's Department (AGD) indicated that the provisions,
which do not require organisations to undertake network protection duties, do
not define the specific actions necessary to operate, protect and maintain a
network as the types of activities required may vary for each network across
the private and public sphere.
The Explanatory Memorandum provides a useful source of
guidance and gives some examples of who might be the ‘responsible person’ in an
organisation, who can undertake network protection duties, and in what sort of
circumstances information can be communicated...The Attorney-General’s Department
is also available to provide guidance and advice regarding the operation of the
network protection provisions... and will undertake targeted education if the
proposals are passed.[2]
3.5
Another submitter, who practices law and advises on information
technology matters, also called for clarification as to what sorts of
activities would constitute 'reasonable use'. The submitter cited common and
desirable industry practices such as spam filtering, employee absence
arrangements such as email redirections, and common email quarantining
practices as examples which may not strictly be considered necessary for the
protection of the network but which should be considered lawful.[3]
'Disciplinary Action'
3.6
The OPC pointed out that 'disciplinary action' is not defined in the
bill and noted that new section 6AAA sets out that the parameters used to
determine appropriate use of the computer network would be based on the Commonwealth
agency, security authority or eligible State authority's IT policies.
The Office notes that IT policies often include conditions
that are not related to computer network protection, although these conditions
may be reasonable in the circumstances. For example, an IT policy may regulate
individuals’ use of the computer network for non-work related purposes, such as
internet banking.[4]
3.7
The OPC is concerned that the broad scope of the 'appropriate use'
definition may make it lawful for the agency to use and disclose an intercepted
communication for disciplinary action even if that use of the network does not
pose a network security risk. The OPC recommended that the Bill should clarify
that ‘disciplinary action’ regarding misuse of the computer network applies
only to those activities that pose a risk to network security.[5]
3.8
The AGD submitted that the broader application of the provisions was
appropriate in that they:
...[reflect] the sensitive nature of work undertaken by
employees in these particular organisations and the additional professional
standards and statutory requirements that are not applicable to other public
sector or non-government organisations.[6]
3.9
The Australian Federal Police Association (AFPA) further expanded on
this issue, pointing out that, since the Law Enforcement (AFP Professional
Standards and Related Measures) Act 2006 repealed the disciplinary tribunal
under s56 of the Complaints (Australian Federal Police) Act 2981, there
has been no legislated internal appeal mechanism for non-reviewable matters
(except in relation to termination under the Fair Work Act 2009). That
is, the 'disciplinary action' definition contained in the Bill facilitates the
use of intercepted communications for taking internal administrative or
managerial action for low-level matters.
The net result for AFP employees would be that the dealing of
such information for disciplinary purposes, if used in an investigation under
Part V of the Australian Federal Police Act 1979, may lead to a
non-reviewable outcome with a punitive action. This unfairly impacts on those
employed under the AFP Act compared with Commonwealth public sector employees,
who are able to seek merit review as well as judicial review of disciplinary
action taken using this evidence.[7]
3.10
The AFPA recommends that section 63D be amended to use the term
'disciplinary proceedings' (instead of 'disciplinary action') to provide
express exclusion of low-level, internal administrative and managerial actions.
This would ensure that section 63D would only relate to cases where an
independent body will have the power to hear or examine the evidence presented
under oath.
3.11
The AGD responded to this recommendation, saying:
It is important to note that information accessed from a
computer networks server is fully accessible to the network operator and is
outside the operation of the Interception Act. Therefore limiting the use of
information obtained under the proposed ‘appropriate use’ provisions to
disciplinary proceedings, as requested by the Australian Federal Police
association, would not be of any benefit.[8]
Law Enforcement
3.12
Item 14 in Part 2 of Schedule 2 includes a provision which validates the
communication, use or recording of certain information, including that which
has occurred prior to the commencement of the Bill. The Attorney-General's
Department (AGD) submission explained the inclusion of this retrospective
provision.
The Criminal Code contains provisions that enable the AFP to
apply for control or preventative detention orders in order to prevent a
terrorist attack...
The [AGD] is of the view that the nature of the offences
associated with control orders and preventative detention orders means that the
AFP is authorised to use lawfully intercepted information in these
applications. However, the issue has not been considered by a court and, in the
absence of a specific reference, there is some risk a court could find that
information obtained under the TIA Act is not available for these purposes.[9]
3.13
The AGD submitted that this provision will remove any uncertainty and
ensure the validity of information used in control order applications.
Furthermore, they submitted that the amendments preserve the status quo and do
not increase the powers and functions of law enforcement agencies under the TIA
Act.[10]
Disclosure
3.14
The TIA Act makes disclosure of lawfully intercepted information to
another person an offence unless that disclosure is an exempt disclosure.
Broadly, disclosure that may be relevant in determining whether a serious
offence has been committed is considered an 'exempt disclosure'. The Law
Council of Australia raised concerns that the proposed disclosure provisions
could allow law enforcement agencies to bypass existing warrant arrangements.
The OPC suggested that the secondary use and disclosure provisions should be
strengthened.
Voluntary Disclosure to Law
Enforcement Agencies
3.15
The Law Council of Australia raised concerns about proposed section 63E
which allows the voluntary disclosure of information that has been intercepted
for network protection purposes to enforcement agencies. While agreeing to the
principle of the provision, they were concerned that this may allow law
enforcement agencies to obtain information by request, thus bypassing the
warrant arrangements contained elsewhere in the TIA Act.
The Law Council accepts that an agency would not have the
power under the Act to compel the disclosure of such information. However, the
Law Council submits that an agency is not expressly prohibited or prevented
from requesting the disclosure of information under proposed section 63E.
Chapter Four [of the TIA Act] also contains voluntary
disclosure provisions... which are similar in effect to proposed section 63E.
These provisions permit information to be disclosed in the absence of a formal
authorisation where it is necessary for certain purposes, such as the
enforcement of the criminal law. Unlike proposed section 63E, the voluntary
disclosure provisions in Chapter Four expressly provide that the section does
not apply where ASIO or the enforcement agency has requested the disclosure of
the information. In that way, the voluntary disclosure provisions in Chapter
Four can not be used to circumvent the authorisation process.[11]
3.16
The Law Council submitted that section 63E should contain a similar
arrangement to the Chapter Four disclosure laws, restricting the disclosure of
information where an enforcement agency has requested that information. They
maintained that such an amendment would safeguard against the potential misuse
of the section to circumvent the warrant requirements in the TIA Act.[12]
3.17
The AGD has addressed this concern in their supplementary submission.
The context around which the provisions in Chapter 4 of the
TIA Act... are substantially different to Part 2-6 of the TIA Act where the
proposed provisions will sit. In the case of the former, the prohibition
against disclosure sits in the Telecommunications Act 1997 and the
exceptions to disclosure are located in the TIA Act.
This is different to part Part 2-6 of the TIA Act, where
section 63 includes the general prohibition against disclosure of intercepted
warrant information and the subsequent sections then provide exceptions to
this. As such, it is not considered that explicit prohibitions are required.
Guidance has been provided in the Explanatory Memorandum by explaining that in
the absence of an exception that expressly allows law enforcement agencies to
obtain such network protection information, information cannot be obtained in
this way.[13]
Secondary Use and Disclosure
3.18
In its submission to the inquiry, the OPC noted that the responsible
person for a network is permitted to further disclose lawfully intercepted
information if that person suspects, on reasonable grounds, that the
information may be relevant in determining whether a prescribed offence
(usually an offence that is punishable by a prison term of a maximum of at
least three years) has been committed.[14]
The OPC considered that any exceptions that allow the further disclosure of restricted
records should be well defined.
These exceptions should align with community expectations and
be based on clearly articulated public policy reasons.[15]
3.19
The OPC also raised concerns about the strength of the disclosure
provisions in relation to non-government agencies.
Except for a designated Commonwealth agency, a security
authority or eligible authority of a state, there appears to be no restrictions
on any secondary uses or disclosures of the intercepted information placed on:
(a) a person engaged in network protection duties, or (b) on the responsible
person, or (c) on their employer. The Office suggests that s.63C could be
strengthened to prohibit secondary uses or disclosures by such persons and
their employer.[16]
3.20
The AGD believe that the broader protections contained in the TIA Act
relating to the use and disclosure of information are sufficiently strong.
It is important to note that the other use and disclosure
prohibitions contained in Part 2-6 of the TIA Act also apply to information
obtained through network protection activities, restricting the further use of
this information.[17]
Other comments on disclosure
3.21
Electronic Frontiers Australia (EFA) noted the changes made to the bill
since the Exposure Draft released by the Attorney-General's Department on 17
July 2009.[18]
EFA were less concerned about agency misuse of the provisions.
Importantly, the Bill limits disclosure of information for
disciplinary purposes to Commonwealth agencies, security authorities, or
eligible State authorities.
EFA believes that the Bill provides an appropriately limited
exception for permissible interception of telecommunications for network
security purposes. EFA assumes that the interests of the particularly
government agencies in overseeing their networks are appropriately considered
by the altered provisions of the Bill.[19]
Destruction Requirements
3.22
Section 79 of the TIA Act requires an interception agency to destroy 'restricted
records' (which does not include a copy of that record) if the Chief Officer of
the agency is satisfied that the restricted record is not likely to be required
for a permitted purpose. Evidence received by the Committee related to the
destruction of original records (and when the destruction requirement should
apply), and whether or not the destruction requirements should apply to copies
of the original record.
Original records
3.23
The Bill contains an exemption for communications that were intercepted
for computer network protection within interception agencies. As explained by
the OPC:
Clause 21 to the Bill states that the requirements of s.79 do
not apply to a communication that was intercepted for computer network
protection by an interception agency. The EM states that this obligation would
pose an onerous administrative burden on such agencies as the responsibility is
placed on the chief officer of the agency rather than on an authorised officer
(such as a ‘responsible officer’).
Accordingly, a new provision (s.79A) is introduced relating
to the destruction of a restricted record as soon as practicable if it is not
likely to be required for specified purposes. The provision applies generally
to computer network protection (including interception agencies) and the
obligation to destroy the restricted record is placed on the ‘responsible
officer’.[20]
3.24
The OPC submitted that all intercepted records, including copies,
obtained for the purpose of network protection should be destroyed when no
longer needed for that purpose.[21]
3.25
The EFA also commented on the new provisions relating to the destruction
of records. They note that the requirement only applies 'as soon as is
practicable after the responsible person becomes satisfied that the restricted
record is not likely to be required'.
The prospective nature of this phrasing suggests that there
is no requirement to destroy a record of an intercepted communication once the
legitimate purpose for which it was intercepted has been fulfilled.[22]
3.26
The EFA argued that proposed section 79A(2) should be amended to require
the destruction of applicable records as soon as practicable after the relevant
person becomes satisfied that the record is no longer likely to be required.
Although the distinction appears slight, the EFA argued that it was important
that this more explicit requirement be included.[23]
3.27
The AGD explained the position taken by the Bill:
Once the responsible person is satisfied that the original
record is not likely to be required for a person to perform their network
protection duties, the responsible person must cause the original record to be
destroyed. This is the same in the case of a Commonwealth agency, security
authority or eligible authority of a State. However, the responsible person in
these designated organisations must also be satisfied that the restricted
record is not likely to be required in relation to any disciplinary action
regarding use of the network.[24]
Copies of records
3.28
New section 79A of the TIA extends only to the destruction of the
original record of a communication intercepted under 7(2)(aaa). The Explanatory
Memorandum states that:
There is no obligation on the responsible person to
destroy copies of restricted records as often they are no longer in the
possession of the responsible person, but have been lawfully
communicated to another person.[25]
3.29
The Australian Law Reform Commission (ALRC) noted that:
Section 150 of the TIA contains a similar requirement to
destroy information or a record obtained by accessing a stored communication.
However, this section does not distinguish between a record and a copy of a
record.[26]
3.30
In his report into the regulation of access to communications in August
2005, Anthony S Blunn AO said that:
The Interception Act definition of restricted record is
curious in excluding a copy of a record even though the definition of ‘record’
includes a copy. Thus it would appear possible for agencies to avoid what
appears to be to be the clear intent of the Act simply by copying the ‘record’.[27]
3.31
The ALRC recently conducted an inquiry into Privacy in Australia. This
inquiry culminated in the production of the report entitled 'For Your
Information: Australian Privacy Law in Practice', which was tabled in Parliament
on 11 August 2009.[28]
During that inquiry:
A number of stakeholders... expressed the view that the same
destruction rules should apply to records and copies of records.[29]
3.32
In their submission to this inquiry, the ALRC pointed out that:
[According to the AGD]... the requirement to destroy copies was
excluded from s 79 because of enforcement issues. For example, agencies could
not enforce destruction of copies given to other agencies for permitted
purposes, or where the information appeared on the public record. The AGD also
noted that copies of lawfully intercepted information may be made only in
limited circumstances under the TIA, and that any copies of the information
continued to be protected from further use or communication.[30]
3.33
The ARLC submitted that, if copies of information obtained from a stored
communication warrant must be destroyed, the same destruction requirements
should apply to copies of information obtained from an interception warrant. The
recommended that the 'Data Security' principle under the Unified Privacy
Principles, which provides that an agency or organisation must destroy or
render non-identifiable personal information if it is no longer needed, should
apply to records as well as copies of intercepted information.[31]
3.34
The AGD, in their supplementary submission, further emphasised the
rationale behind excluding a destruction requirement for copies, saying that
imposing such an obligation may be outside the control of an individual or an
organisation and was therefore unenforceable.[32]
Other Issues
3.35
The OPC also raised two issues not covered by any other submitters
dealing with the importance of allowing individuals to access intercepted
information relating to them and the need for a review of the amendments.
Accessing intercepted communications
3.36
The OPC submitted that the Bill should include a provision modelled on
National Privacy Principle (NPP) 6.1 which allows an affected person to access
intercepted information relating to them. They argued that an essential
component of an effective privacy framework is the ability of anyone to access
their own personal information. The inclusion of an access provision may assist
in achieving an appropriate balance between the competing public interest in
maintaining computer network protection and individual privacy.[33]
3.37
The AGD argued that it was not necessary to provide individuals with
access to personal information contained in intercepted communications.
Information intercepted by a person performing network
protection duties is likely to be screened and copied only where it is
necessary to perform those particular functions. In the majority of cases it is
likely that these functions will be undertaken electronically and will only be
viewed and retained in circumstances that require further investigation or
action to be taken and the information must be destroyed when they are no
longer required for that purpose.[34]
Review of the act
3.38
The OPC recommended that the operation of these amendments should be
independently reviewed five years after their commencement.[35]
Conclusions
3.39
Generally, submitters did not feel that the Bill was clear about what
types of behaviour would be considered necessary for 'network protection
duties' and what constituted 'disciplinary action'. Some submitters felt that
the proposed disclosure regime for information that had been lawfully
intercepted could be strengthened. They submitted that this would prevent law
enforcement agencies from circumventing warrant arrangements and ensure that
the provisions were in line with community expectations. There was also some
concern about the absence of a requirement to destroy copies of restricted and
that the destruction requirement for original records was not strong enough.
3.40
However, submitters who gave evidence to the Committee were generally
supportive of the principles of the Bill. There was agreement that network
owners and operators should be allowed to protect the security of their
networks. Furthermore, it was deemed to be appropriate that only Commonwealth
agencies, security authorities and eligible State authorities should be allowed
to intercept communications for certain disciplinary purposes.
Committee View
3.41
The Committee feels that the concerns raised by submitters have been
satisfactorily addressed by the AGD in its supplementary submission. As such,
the Committee feels that the Bill should be passed. The Committee also notes
the 2008 recommendation that the any permanent network protection mechanism be
reviewed to ensure that it mitigates against intrusiveness and abuse of access,
and considers how secondary data may be managed appropriately.[36]
The Committee still feels that a review of the amendment contained in this Bill
is desirable.
Recommendation 1
3.42
The committee recommends that the Bill be passed.
Recommendation 2
3.43
The committee recommends that these amendments be reviewed five years
after their commencement.
Senator Trish
Crossin
Chair
Navigation: Previous Page | Contents | Next Page