Chapter 3 - Extension of network protection sunset dates

Chapter 3 - Extension of network protection sunset dates

3.1        Several submissions commented on the proposed extension of the sunset clauses for network protection exemptions. When these provisions were first introduced to Parliament in the Telecommunications (Interception) Amendment Bill 2006, the Minister stated that network protection was an issue for both public and private organisations and that a policy proposal to allow appropriate, lawful access for network administrators was the subject of ongoing consultation. Since then these provisions have been amended only to allow additional law enforcement agencies, not corporate agencies, to be exempt under the provisions. 

3.2        The Law Council of Australia (Law Council) submission noted that sunset clauses are included in legislation for a number of purposes, including to:

  • ensure that certain legislative provisions only remain in operation as long as is necessary to address a temporary emergency situation;
  • compel the periodic review of the operation of a controversial provision; and
  • provide a temporary measure to respond to a particular problem, while a more permanent solution is developed.[1] 

The Law Council noted that the sunset clauses relating to network protection fulfil the third purpose.

3.3        In submissions to the inquiry, the Australian Privacy Foundation and the Law Council proposed that consideration of a further extension of the sunset clauses relating to network protection should be based on further information. In particular, these parties contended that the Senate should be provided with information on progress toward a more permanent solution, particularly for corporate entities, on why such a solution is not in place, and whether and why a further eighteen months is required.

3.4        Addressing the issue of progress towards a longer-term solution, the  Attorney-General's Department submitted that:

While significant progress has been made by the Department towards a full legislative solution, the additional 18 months will allow adequate time to finalise the policy development and undertake consultation with state and territory governments and a broad range of non-government stakeholders. The additional 18 months will also allow for any issues raised during these consultations to be fully considered and incorporated where appropriate.[2] 

3.5        When asked by the committee about the extent of progress to develop a long term solution, the Attorney-General's Department responded:

We have been developing a discussion paper which has not gone outside the Attorney-General’s Department. What has become clear, as we look into the problem, is that technology is moving very quickly. The types of threats to critical infrastructure are changing every single day and so we are looking at the scope of any possible solution to address the kinds of challenges that we are dealing with. We work with our critical infrastructure protection area in the department very closely and it is with them that we are actually looking at the scope of any solution.[3]

3.6        In relation to why the Department needed a further 18 months for the process, representatives said that:

...essentially we are taking into that time the fact that we have just had an election so that slowed down any development of a particular policy. Now we want to ensure that we develop a solution that allows us to consult very broadly because there are a lot of stakeholders who will be affected by any change in legislation. We want to ensure that we do not need a further extension of time, so that is why we have sought 18 months.[4]

3.7        The committee also sought information from government representatives on whether corporate agencies may be in technical breach of the TIA Act in their current practices for virus scanning and email quarantine systems. A representative of the Attorney-General's Department acknowledged that this is a grey area, stating:

The nature of computer networks is so different and complex that I could not comment on whether particular areas of industry or banking or whatever would be in technical breach of the act. What I can say is that when it is appropriate we constantly provide guidance to organisations when they ring up and talk about their filtering systems. You will find that a lot of organisations actually straightaway block emails of a particular attachment type because they know that they are likely to have problems embedded, even though they might be quite innocent. They also run electronic scanning, which is not in breach of the legislation. But we have identified that this is an area that is grey and that needs to be dealt with as quickly as we can. Certainly I am not aware of any organisation that is in technical breach of the legislation. As I have said, we welcome people to approach the department and seek guidance on how they can actually act and not be in breach of the legislation and still protect their networks.[5] 

3.8        The committee also sought to clarify with other witnesses whether they had any specific concerns with the amendments relating to extension of the sunset dates contained in the Bill. A number[6] supported the submission of the Office of the Privacy Commissioner (OPC), which stated that:

The Office supports the position of the Blunn Review that network protection provisions should be accompanied by appropriate privacy protections. Further, in the view of the Office, the subsequent widening of the scope of the network protection exemption to over 20 agencies makes it more important that the safeguards recommended by the Blunn Review are built-into the legislation, including for the purposes of the proposed 18 month extension to the sunset provisions.[7]

3.9        In relation to privacy protections, the OPC recommended that consideration be given to amending the Bill to contain the following more rigorous requirements:

  1. a prohibition on secondary use of any data accessed for the purpose of protecting the agency's network security, unless there are cogent public policy reasons which reflect community expectations;
  2. that agencies must clearly identify the people who are given the authorisation under exemptions; and
  3. that any data obtained for the purpose of network security should be immediately destroyed when it is no longer needed for that purpose.[8]

3.10      The committee notes that recommendation (b) is consistent with findings in the Blunn report. Both the OPC and the Blunn report also proposed a higher level of personal privacy protection for network protection provisions than is currently enshrined in the TIA Act. However, while their issues and recommendations are not mutually exclusive, the Blunn report raises additional issues in regards to voice data and evidence discovered in relation to criminal behaviour:

There should be clear authorisation and the persons with that authority should be clearly identified. Those persons should be required to protect the privacy of any data accessed in the same way that the employees of C/CSPs [Carriage and Carriage Service Providers] are required to protect data accessed in the course of their employment. The vexed question is what should happen where such access discloses evidence of criminal behaviour. ... In my view in both situations the content of the communication should be protected but the person with access may report their view that there may be evidence of criminality etc. The data, presumably other than voice data, could then be accessed as if it were a stored communication i.e. by search warrant. The question of the use of the content of voice data raises significant evidentiary and other problems and should be separately considered.[9]

Committee findings and recommendations

3.11      The committee is aware of the rapidly changing nature of technology and of the sensitive nature of data held by security and law enforcement agencies. These agencies consequently face challenges in maintaining secure networks and professional standards—both of which the community expect them to maintain in a manner that safeguards rights, privacy and safety.

3.12      While developing 'technologically neutral' legislation may be difficult, almost eighteen months have passed since the sunset clauses were approved by Parliament. This timeframe was apparently established to allow the Attorney-General's Department to develop a full legislative solution to network protection issues for corporate entities and interception agencies.

3.13      Additionally, the Blunn report had proposed in 2005 that the network protection provisions should address both corporate and interception agency needs, and had raised a number of issues that needed to be resolved in terms of privacy and secondary data use. The issues raised by the Blunn report were not addressed in the Telecommunications (Interception) Amendment Bill 2006, partly due to its late insertion into the parliamentary program, and were also not addressed when additional agencies were given network protection exemptions in 2007.[10]

3.14      The committee considers that the recommendations made in the submission to this inquiry by the Office of the Privacy Commissioner in relation to privacy issues warrant further consideration, along with the unresolved issues raised in the Blunn report. 

3.15      Since the Blunn report, the committee has now been asked on three occasions to consider the network protection issue, with little or no information being provided on the impacts on privacy and agency accountability. Furthermore, the so-called 'grey area' of monitoring and interception of data in corporate networks does not appear to have progressed beyond a draft policy within the Attorney-General's Department.

3.16      The committee considers that any future legislative amendment of the network protection provisions (including sunset clauses) should include a thorough and considered response to achieving a balance between individual privacy rights and network protection requirements. Such a review should assess mechanisms to mitigate intrusiveness and abuse of access, and consider how secondary data may be managed appropriately.  

3.17      However, the committee considers that these issues can not be adequately addressed by amending the Bill, given the imminent expiry of the sunset clauses. Further, implementing a single change to ensure that the person to which the exemption applies is clearly identified would be an incomplete solution, which might reduce the likelihood of this issue being resolved in a more comprehensive way.

Recommendation 1

3.18      The committee recommends that, if further legislation proposing amendments to the network protection provisions (including to sunset clauses) is introduced, such legislation should include a thorough and considered response to achieving a balance between individual privacy rights and network protection requirements. Such a review should assess mechanisms to mitigate intrusiveness and abuse of access, and consider how secondary data may be managed appropriately.

Navigation: Previous Page | Contents | Next Page