Chapter 3

Key issues

3.1 A number of submissions supported the Bill, including submissions from the Australian Federal Police Association (AFPA), New South Wales (NSW) Police, Victoria Police, the Tasmanian Commissioner of Police and the Northern Territory Government.[1]

3.2 However, many organisations were concerned by aspects of the Bill. In a joint submission, the Australian Communications Alliance, the Australian Mobile Telecommunications Association and the Internet Industry Association (Communications Associations) welcomed many of the proposed amendments in Schedules 1, 3, 4, 5, 6 and 7, but opposed the amendments in Schedule 2.[2] The NSW Council for Civil Liberties, the Australian Privacy Foundation (Privacy Foundation) and the Castan Centre for Human Rights Law (Castan Centre) raised a number of concerns about the provisions of the Bill, particularly in relation to what they believe is a significant change to the role of security agencies in Schedule 6.[3] The Queensland Council of Civil Liberties endorsed the submission of the Privacy Foundation.[4]

3.3 The Australian Law Reform Commission (ALRC), the Commonwealth Ombudsman (Ombudsman) and the Office of the Australian Information Commissioner (Information Commissioner) raised other issues in relation to the TIA Act, particularly around privacy, record keeping and reporting.[5] The Law Council of Australia (Law Council), rather than comment on any particular aspect of the Bill, posed a number of questions about its intended operation.[6]

Enabling ASIO to provide technical assistance to law enforcement agencies in relation to telecommunications interception warrants (Schedule 1)

3.4 As outlined in Chapter 2, Schedule 1 will enable officers of the Australian Security Intelligence Organisation (ASIO), or persons assisting ASIO in the performance of its functions, to be authorised to exercise authority under a telecommunications interception warrant on behalf of a law enforcement agency.

Reporting obligations

3.5 The Information Commissioner supported the proposed amendments in Schedule 1 that seek to limit the use and disclosure of information intercepted by ASIO on behalf of another agency, as well as the extension of reporting requirements in the TIA to include interception warrants conducted by ASIO on behalf of other enforcement agencies.[7]

Role of the Ombudsman

3.6 The Ombudsman submitted that his office's oversight of the use of covert powers by law enforcement agencies 'provides an important safeguard and assurance to the Commonwealth Parliament and the general community that these powers are properly exercised.'[8]

3.7 The Ombudsman also reports annually to the Attorney‑General on the compliance of law enforcement agencies with record keeping and destruction requirements relating to telecommunications interceptions.[9] Further, the Ombudsman reports compliance regarding access to stored communications under the TIA Act, which may include non‑compliance by officers of the law enforcement agencies.[10]

3.8 However, the Ombudsman has no authority in respect of ASIO and as a result:

...interceptions undertaken by ASIO on behalf of other agencies may not be subject to the same level of scrutiny.[11]

3.9 The Ombudsman's submission noted that where ASIO executes a warrant on behalf of a law enforcement agency that the Ombudsman would normally inspect, the Ombudsman will not be able to interrogate the agency's systems to ensure, for example, that no interceptions occurred outside the period the warrant was in force.[12] Further, while oversight of ASIO is provided by the Inspector‑General of Intelligence and Security (IGIS), the TIA Act does not require the IGIS to inspect the records of ASIO in these circumstances.[13]

3.10 The Ombudsman indicated that discussions had taken place between his office and the Attorney-General's Department (Department) and ASIO. His understanding from those discussions is that the obligation for ASIO to provide the particulars of the interception to the agency that sought the warrant would enable these records to be available for inspection by his office.[14] The Ombudsman stated that this would 'assist in retaining an adequate, albeit different, oversight arrangement'.[15]

Department response

3.11 The Department's submission drew attention to the need for a whole-of-government approach in relation to the challenges agencies acting under interception warrants face from fast changing technology.[16]

3.12 At the public hearing, Mr David Fricker from ASIO reiterated:

[i]f Australia's national security capability is to be maintained we have to position ourselves such that no agency is disadvantaged because another agency has a technical capability which is unavailable to them under their legal authority to undertake interception or investigative activity. I think the clock is ticking for us to strategically position ourselves, as a national security community, to make sure that this country's interests are best served by the infrastructure that we have across the national security community.[17]

3.13 The Department also emphasised the fact that the TIA Act currently allows law enforcement agencies to enable officers of another interception agency, except ASIO, to exercise the authority conferred by a telecommunications warrant.[18] The Department's submission was that the Bill will require ASIO to provide the information necessary for law enforcement agencies to comply with their record keeping and reporting obligations, and for records to be subject to inspection by the Ombudsman.[19]

Provision of technical assistance by ASIO

Concerns raised by the Information Commissioner

3.14 The EM states that, while the proposed amendments will enable ASIO to 'provide technical assistance to law enforcement agencies in relation to telecommunications interception warrants issued to those agencies'.[20] However, Item 5 of Schedule 1 does not contain any qualification that would limit this authorisation to the provision of technical assistance. As a result, the Information Commissioner suggested that Item 5 of Schedule 1 be amended:

...to explicitly reflect the stated policy intention of enabling the Australian Security Intelligence Organisation to provide technical assistance to law enforcement agencies in relation to telecommunications interception warrants issued to those agencies.[21]

Handling of personal information

Revision of guidelines issued to ASIO on handling of personal information

3.15 Often personal information obtained through interception warrants will not be covered by the Privacy Act 1988 (Privacy Act). Currently, guidelines issued by the Attorney‑General under section 8A of the ASIO Act provide guidance for ASIO on the handling of personal information. The current guidelines were issued on 12 October 2007 by the then Attorney-General, the Hon Philip Ruddock MP.[22] The Information Commissioner suggested that, given the expansion of ASIO's functions and powers, these guidelines should be reviewed.[23] He also indicated his willingness to assist in the development of these guidelines.[24]

3.16 The Information Commissioner also suggested that, in order to address potential gaps in privacy coverage, guidelines for all national security and law enforcement agencies on personal information handling practices should be developed. These could cover, for example, the accuracy, storage, security, retention and destruction of personal information. The ALRC's submission also drew the committee's attention to the report of its inquiry into the provisions of the Privacy Act, For Your Information: Australian Privacy Law and Practice (ALRC Report 108).[25] That report recommended that consistent privacy rules and guidelines should be developed for Australia's intelligence agencies.[26]

3.17 In response to a question on notice taken at the public hearing, the Department advised the committee that, under section 15 of the Intelligence Services Act 2001 (IS Act), the Minister responsible for the Australian Secret Intelligence Service (ASIS), Defence Signals Directorate (DSD), and Defence Imagery and Geospatial Organisation (DIGO) 'must make written rules regulating the communication and retention by the relevant agency, of intelligence information concerning Australian persons'.[27] These are known as the Privacy Rules.

3.18 The committee also notes that, once an internal review is undertaken by relevant agencies and departments, there are legislative requirements that must be complied with in issuing or revising these guidelines or rules. These include:

...to consult with certain persons, provide copies to the Inspector-General of Intelligence and Security and the Leader of the Opposition, and ...[brief]...the Parliamentary Joint Committee on Intelligence and Security.[28]

Department response

3.19 When asked at the public hearing whether the guidelines issued by the Attorney‑General under section 8A of the ASIO Act will need to be reviewed, a representative from the Department stated:

...they will need to be reviewed in light of this legislation but possibly even more so in light of other changes to privacy legislation which are in the pipeline.[29]

3.20 When questioned by the committee in relation to consultation with key stakeholders on the revised guidelines and the length of time for revision of the guidelines, the department representative advised:

[consultation with stakeholders] is what I expect will be the case and that would be something we would be recommending. The timing of it I would have to take on notice. I have not really assessed how long it would take...It is a little hard for me to give you a specific time frame, but I will say it is something we would do as soon as practicable.[30]

3.21 The Department further advised the committee that '[c]ompliance with the Attorney-General's Guidelines and Privacy Rules is subject to independent oversight by the [IGIS]', who reports annually to the Parliament. The Department concluded:

In light of the existing privacy regimes, the Attorney-General's Department is of the view that additional privacy frameworks or MOUs do not appear to be necessary. The existing privacy regimes will continue to be reviewed and revised as appropriate to ensure they continue to balance operational considerations with appropriate privacy protections.

...

It is also noted that the decision to issue new or revised Attorney-General's Guidelines or Privacy Rules is a decision for the relevant responsible Minister.[31]

Telecommunications industry requirement to inform of proposed changes (Schedule 2)

3.22 The proposed amendments in Schedule 2 will require carriers and nominated carriage service providers (C/NCSPs) to notify the Communication Access Coordinator (CAC) if they intend to implement a change to a telecommunications service or system that is likely to have an adverse effect on the C/NCSP's capacity to comply with their obligations under the TIA Act or the Telecommunications Act.[32]

Industry concerns

3.23 The Communications Associations strongly opposed the amendments proposed by Schedule 2.[33] While noting that 'ongoing changes in technology and Industry structure mean that the legal interception regime may require adjustments from time to time', the Communications Associations contended that the proposed amendments in Schedule 2 will have a substantial impact on industry, with little, if any, apparent benefit to agencies.[34] Further:

[t]he Associations are concerned that Schedule 2 actually has the potential to create a situation in which Agencies will be less able to achieve their objectives, while also negatively impacting on Australian businesses and consumers. This is because the requirements as drafted will likely create a (more) uneven and non-technology-neutral playing field; increase costs; delay and restrict product availability and rollout; arbitrarily influence business partnership choices; and disadvantage Australian-based suppliers relative to overseas suppliers. This may force unregulated service providers (non C/NCSPs) to locate equipment outside of Australia, thereby not only disadvantaging C/NCSPs, the Australian Industry and consumers in a highly globalised environment but also resulting in a loss of current interception capabilities. This scenario thus implies an undesirable lose-lose situation.[35]

3.24 The Communications Associations were particularly concerned about the requirement to provide notice of proposed changes, the breadth of matters that will now have to be notified, and associated cost requirements for industry.[36]

3.25 The Attorney-General indicated in the second reading speech that it is intended that early notification will assist C/NCSPs to meet their obligations to assist interception agencies and avoid the need for costly alterations once a change has been implemented.[37]

Breadth of proposed changes

3.26 Although the provisions are in part based on similar provisions that were contained in Division 4 of Part 15 of the Telecommunications Act,[38] which were removed in 2007, the earlier provisions appear narrower in scope than the proposed provisions in Schedule 2. The previous section 332E of the Telecommunications Act referred to C/NCSPs giving notice of 'a new technology, or a change to existing technology'. However, Item 8 of Schedule 2 of the Bill refers to 'a change that is proposed to a telecommunications service or a telecommunications system'.

3.27 As noted in Chapter 2 of this report, a number of examples of such changes are provided in the Bill, including outsourcing arrangements and the purchase of equipment both in Australia and overseas, if it is likely to have a material adverse effect on the capacity of the carrier or provider to meet its obligations.[39]

3.28 The committee understands that the number of changes of which the telecommunications industry would be required to notify the CAC under these amendments may not be insignificant. As Mr Michael Ryan from Telstra (appearing on behalf of the Communications Associations) advised the committee:

[m]y particular organisation, in our 2010 interception capability plan, identified 104 new products and services which we would be launching from the 2009-10 financial year. Of those, we identified 17 which were brand new and which may have an impact on our interception capability plan. Of the other 87 products and services, we determined that there would be no impact or our existing capabilities would take care of that interception obligation. We believe that schedule 2 is going beyond that and placing a further large reporting burden on industry when in fact the interception capability plan appears to be working quite well at the present time.[40]

3.29 In response to a question on notice taken at the public hearing, the Communications Associations set out how it sees the differences between the provisions that had been in the Telecommunications Act up until 2007 and Schedule 2 of the Bill.[41] The Communications Associations reiterated its staunch opposition to Schedule 2:

Contrary to what has been implied by the evidence presented by the [Department]...and the Department of Broadband, Communications and the Digital Economy, the proposed bill does not merely re-instate previous arrangements [it]...considerably extends and broadens the obligations of the existing Telecommunication Act.[42]

3.30 The Communications Associations also asserted that currently there are between zero and four formal updates, with an average of less than two, which is supplemented by 50-60 informal briefings to agencies each year.[43] The Communications Associations stated further:

[o]ne organisation advised that the new proposals would potentially generate over 500 notifications per year: 500 projects per year would need to be reviewed and potentially reported upon, based on current projects (over last 12 months); plus there are another 50-60 network equipment purchases that would have to be considered and added into the reporting process.

A second organisation presented similar figures, noting that approximately 350 projects in the past 12 months had required some Legal Intercept assessment/review. The extension of requirements to IT and outsourcing projects (currently excluded from requirements) would further increase the number of notifications required.[44]

3.31 The Department advised the committee that CAC usually receives less than '5 updated ICPs per annum pursuant to section 201'.[45] However, the Department also noted that 'this does not reflect the full number of changes to services or networks which affect legal obligations and therefore warrant notification'.[46]

Costs

3.32 The Communications Associations were concerned that the proposed amendments would place a cost burden on the industry, commenting:

[the EM] also states that the changes will have no financial impact. The Associations dispute this statement, given the significantly increased administrative burden, the possible delays to market, veto of product launch, distortion of competition etc. Further, as explained in the Associations submission, the provisions may prevent a C/NCSP from realising cost savings through outsourcing, or cheaper service or equipment supply.[47]

3.33 The cost requirement for the industry was also raised by the Privacy Foundation, who indicated:

...the scope of the new requirement is not clear but it would appear to be an onerous burden on C/NCSPs too, requiring them unreasonably to 'speculate' about the possible effects of changes and whether they might have a 'material adverse effect' on capacity to comply with interception related obligations'.[48]

Concerns about lack of industry consultation

3.34 The Communications Associations asserted that they had complied with their current obligations under the TIA Act:

Presently, the larger providers in the telecommunications industry have a very good and cooperative approach, regularly meeting with and talking to the agencies to brief them on new technologies and advances in telecommunications services and applications. This is in addition to—particularly with my organisation—our weekly meetings with the agencies to talk to their technical staff on operational and engineering issues that may impact on our capability to respond to agency requests. We also update, on a regular basis, the agencies, particularly at the Communications Security and Enforcement Roundtable, which is run by the ACMA, and also the expert group, which a lot of our senior managers attend on a regular basis.[49]

3.35 The Communications Associations also expressed their 'concern and disappointment that Government endorsed regulatory development processes have not been followed and [that] no Industry input has been sought in the drafting stage of this Bill'.[50] As a result, they sought that Schedule 2 be delayed, arguing:

...no demonstrated need exists for the far reaching proposed changes in Schedule 2. Instead minor amendments to the existing interception regime would constitute a more efficient and effective approach to a reasonable and sustainable interception regime.[51]

...

[The proposed amendments] should not be progressed at this time and ought to be re-drafted to address the [concerns outlined in the submission], using the Government's regulatory development process, including industry consultation.[52]

Other industry concerns

3.36 The Communications Associations raised a range of other concerns with the proposed amendments, including transparency, a lack of oversight of CAC actions,[53] a lack of provisions designed to protect the commercial confidentiality of C/NCSPs,[54] and the cost impact on industry.[55] It was also unclear as to whether 'material adverse effect' was an objective assessment to be made by C/NCSPs.[56] As previously noted in Chapter 2, there is also an absence of sanctions for agencies who fail to protect C/NCSPs' commercial confidentiality.

3.37 In response to a question on notice, the Communications Associations provided the committee with some proposed amendments to Schedule 2 that would ensure that some confidentiality provisions were inserted in the Bill.[57] They also proposed excluding proposed content changes from the operation of this Schedule.[58]

Department response

3.38 Despite not having detailed this matter in the EM, second reading speech or its initial submission to the committee, the representative from the Department was able to advise the committee:

...there have been incidents where the industry just had not identified that they have got a problem with their new technology. Then we have a terrible situation in terms of retrofitting it to make sure they do comply, to make sure that they have got the right technical solutions for interception, and it ends up costing them more. This is a measure which will just require them to write a letter or just advise us: 'We're moving to this technology. This is what we're planning to do'...So all they have got to do is give us a letter and outline what some of their plans are. It is not burdensome.[59]

3.39 In response to a question taken on notice, the Department advised further that there have been several occasions:

...where carriers or their third party outsource providers have committed to changes without timely consultation with agencies. This has resulted in avoidable and costly re-working.[60]

3.40 Without having further information available about the types of issues that have arisen, it is difficult for the committee to assess the concerns of the Communications Associations. This point was also observed by the Communications Associations, which stated:

[t]he explanatory memorandum for the Bill maintains that the current procedure is considered inadequate as it only provides for notification of changes after they are about to happen. It does not mention any inadequacies relating to the scope of the current arrangements.[61]

3.41 The Department was asked at the public hearing about whether the provisions in Schedule 2 could be amended to better express the requirement for industry to advise the CAC of particular matters.[62] On notice, the Department advised the committee that it did not consider changes to be required.[63]

Disclosure of telecommunications data in relation to missing persons (Schedule 3)

3.42 Schedule 3 proposes to amend the TIA Act to insert a new exception to allow an authorising officer of the AFP or a state police force to authorise disclosure of telecommunications data when the officer is satisfied that the disclosure is reasonably necessary for the purposes of finding a missing person. However, information may not be disclosed to the person who filed the report except:

with the missing person's consent;
to prevent a threat to the missing person's health, life or safety if the missing person is unable to consent; or
if the missing person is deceased.

3.43 The committee notes that 'telecommunications data' is information about a telecommunication but does not include the content of the communication itself (for example, a list of telephone numbers dialled).[64] Historical telecommunications data can be accessed by an enforcement agency under the TIA Act for the purposes of the enforcement of a criminal law, a law imposing a pecuniary penalty or the protection of the public revenue.[65] Prospective telecommunications data (data that will exist in the future) may be accessed by a 'defined criminal law enforcement agency for the investigation of a criminal offence punishable by imprisonment for at least three years'.[66] Offences exist for inappropriately disclosing or otherwise using the information, and agencies are required to keep records of access.[67]

Privacy concerns

3.44 Both the Information Commissioner and the Privacy Foundation raised a number of privacy issues in relation to the proposal to enable the disclosure of telecommunications data about missing persons.

3.45 The Privacy Foundation argued that:

...it is not clear how, if the use of relevant information for the purposes of missing person investigations is to be subject to an overriding 'consent' condition, why the amendments are necessary, as consent is already an exception to the non-disclosure provisions of the Telecommunications Act. Item 5 suggests that disclosure of missing persons information will be authorised without consent where consent is impracticable, but again, there are existing exceptions in the Telecommunications Act which address situations where safety, life or health are at risk.[68]

Proposed amendments to Schedule 3

3.46 The Information Commissioner suggested a number of amendments be made to Schedule 3 of the Bill to enhance the privacy safeguards:

[t]he Office is of the view that authorising the disclosure of telecommunications data for public safety purposes represents an expansion in the scope of the TIA Act and should be carefully considered.

...The Office is concerned that, if the purposes for which telecommunications data can be disclosed is extended to public safety purposes in this instance, then in the future other additional public safety purposes may be identified as warranting a similar approach. Over time this could lead to 'function creep' potentially diminishing privacy protections surrounding communications between individuals.[69]

3.47 The proposed amendments suggested by the Information Commissioner include:

using terminology consistent with that used in Australian Privacy Principle 6(2)(g);
providing more detailed guidance in the EM or in any binding rules or guidelines on issues surrounding consent, such as determining capacity and establishing whether implied consent was obtained;
inserting the word 'serious' before the word 'threat' in proposed new subparagraph 182(2A)(b)(ii) of the TIA Act; and
including in Schedule 3 of the Bill a statutory review mechanism for the missing person provisions.[70]

3.48 The Information Commissioner also suggested that a set of binding rules or regulations be introduced to apply to the handling of telecommunications data related to missing persons. The Information Commissioner recommended that this guidance could reflect the government's First Stage Response [71] to the ALRC's recommendations in its report on the Privacy Act.[72] In that response, the government stated that an express exception to the use and disclosure privacy principle should apply for the purpose of locating a reported missing person. However, in recognition of the sensitivities associated with missing persons, any missing persons' exceptions should be made in accordance with binding rules issued by the Privacy Commissioner.[73]

3.49 At the public hearing, Ms Helen Donovan from the Law Council endorsed these suggestions of the Information Commissioner.[74]

Department response

3.50 The Department's submission indicated that, because missing person information can only be disclosed to the person who made the report if the missing person consents, is deceased or to prevent a threat to the missing person's health, life or safety:

[t]hese restrictions will ensure that the privacy of the missing person is respected and the information is only disclosed without the consent of the missing person if it is for their benefit.[75]

3.51 Further, the Department advised the committee of another safeguard, namely that agencies will be required to report on the number of authorisations in relation to missing persons made by their agency.[76] In addition, unauthorised disclosure or use of information is an offence punishable by two years imprisonment.[77]

Stored communications warrants in relation to victims of serious contraventions (Schedule 4)

3.52 The proposed amendments in Schedule 4 clarify that a stored communications warrant can be obtained to access the stored communications of both the offender and the victim of a serious contravention.[78]

3.53 The Ombudsman's submission stated that he is 'of the view that the TIA Act does not presently allow a warrant to be sought in respect of a victim of a serious contravention'. Accordingly, he welcomed the amendment proposed by Schedule 4.[79]

Concerns about compliance in accessing stored communications

3.54 While supportive of the amendment, the Ombudsman noted that this 'is but one of a number that are required in order to bring some clarity to a regime with significant compliance issues identified by my office'.[80]

3.55 The Ombudsman's submission also observed that during 2009-10, he carried out 17 inspections of stored communications records maintained by 14 agencies, including the AFP, the Australian Crime Commission (ACC), the Australian Securities and Investments Commission, the NSW Crime Commission, NSW Police, Queensland Police, Queensland Crime and Misconduct Commission, South Australia Police, Tasmania Police, Victoria Police, the Victorian Office of Police Integrity, Western Australia Police, the Corruption and Crime Commission (Western Australia) and the Australian Customs and Border Protection Service.[81]

3.56 The level of compliance by the AFP and the ACC with the requirements of the TIA Act in respect of telecommunications interception is generally high,[82] however the Ombudsman also identified a number of significant issues regarding compliance with the relevant provisions of the TIA Act in relation to access to stored communications, which were outlined in his report to the Attorney‑General in 2008‑09.[83]

Proposal to provide guidance to assist law enforcement agencies

3.57 The Information Commissioner suggested that guidance, in the form of binding rules or regulations, should be developed to assist law enforcement agencies to determine when a person is unable to consent or when it may be impracticable to gain the consent under the proposed amendments in Schedule 4.[84]

3.58 The Information Commissioner also suggested that the EM to the Bill should expressly identify where privacy issues may arise to provide assistance to the issuing authority when considering the factors set out in subsection 116(2) of the TIA Act.[85]

Department response

3.59 At the public hearing, the Department was asked to respond to the Information Commissioner's comments about whether the EM should be clarified in order to provide guidance on situations when it may be impracticable to provide consent.[86]

3.60 In its response, the Department advised the committee that '[i]t was not thought necessary for the [EM] to be too prescriptive about those issues, as it is a question of fact to be determined in the circumstances of each case.'[87] The Department commented that '[t]he decision is a matter for the issuing authority, who should have sufficient flexibility to make a decision about the circumstances relating to victim notification in individual applications.'[88]

3.61 The Department also drew the committee's attention to subsection 116(2), which sets out the matters that the issuing authority must consider before issuing a stored communications warrant, which are not affected by these proposed amendments.[89] The section provides:

(2) The matters to which the issuing authority must have regard are:

(a) how much the privacy of any person or persons would be likely to be interfered with by accessing those stored communications under a stored communications warrant; and

(b) the gravity of the conduct constituting the serious contravention; and

(c) how much the information referred to in paragraph (1)(d) would be likely to assist in connection with the investigation; and

(d) to what extent methods of investigating the serious contravention that do not involve the use of a stored communications warrant in relation to the person have been used by, or are available to, the agency; and

(e) how much the use of such methods would be likely to assist in connection with the investigation by the agency of the serious contravention; and

(f) how much the use of such methods would be likely to prejudice the investigation by the agency of the serious contravention, whether because of delay or for any other reason.[90]

Cooperation, information sharing and other assistance between intelligence and law enforcement agencies (Schedule 6)

Law enforcement and national security functions

3.62 Schedule 6 was considered by submitters and witnesses to be the most contentious part of the Bill. This Schedule proposes to provide ASIO, ASIS, DSD and DIGO with a new function of cooperating with and assisting each other, and with prescribed Commonwealth and state authorities. Regulations will be used to prescribe authorities of the Commonwealth or of a state to enable the national security agencies to cooperate with and assist those bodies in the future.[91]

3.63 In addition, the Bill proposes to enable ASIO to cooperate with and assist law enforcement agencies in the performance of their functions. 'Law enforcement agency' is defined quite broadly.[92] The EM indicates that this definition is intended to cover a wide range of agencies, including 'other bodies that have functions connected with law enforcement, such as integrity and corruption agencies and also other agencies with investigatory and enforcement powers with respect to Commonwealth and State laws'.[93]

3.64 The Bill also proposes amendments to the communication provisions in the ASIO Act to enable the Director-General to communicate information that has come into the possession of ASIO in the course of performing its functions, to specified persons in specified circumstances.[94] The circumstances where information may be communicated are where:

the information relates, or appears to relate, to the commission, or intended commission, of a serious crime;[95] or
the Director-General, or a person authorised for the purpose by the Director‑General, is satisfied that the national interest requires the communication.[96]

3.65 The Department has advised the committee that while ASIO has both intelligence and assessment functions, 'ASIS, DSD and DIGO have functions relating to foreign intelligence production but not assessment'.[97] The Department stated that this 'can result in limitations on the cooperation or assistance which the latter agencies can provide to ASIO in relation to its security intelligence assessment functions' in addition to having implications for 'multi-agency teams and taskforces that have assessment related roles'.[98] Further:

agencies under the IS Act have functions that concern 'intelligence about the capabilities, intentions or activities of people or organisations outside Australia' as relevant to Australia's national security, foreign relations or national economic wellbeing...ASIO's functions relate to security...threats to Australia and Australian interests. [99]

Need to retain distinct roles of national security and law enforcement agencies

3.66 The Privacy Foundation expressed 'the most serious concern about this Bill',[100] suggesting that the Bill's 'effect is to destroy the hitherto carefully maintained separation between the roles of national security and law enforcement'.[101] Further:

[t]he Bill comes close to giving a very wide range of enforcement agencies (and not just those engaged in criminal law enforcement) access to the same extraordinary powers that have rightly been limited, to date, to a few specialised agencies with narrow and targeted functions.[102]

3.67 The Privacy Foundation also noted that '[w]hile some residual barriers remain or are re‑asserted in the Bill, they are seriously weakened'.[103]

3.68 Similar concerns were raised by the Castan Centre:

[Schedule 6 would] significantly broaden the scope for Australian intelligence organisations – including organisations [which] hitherto have had a statutory obligation to confine their operations primarily to people and organisations outside Australia – to become participants in domestic governmental functions, including but not limited to domestic law enforcement. This has implications for privacy, for the political independence of law enforcement bodies, and for the relationship between Parliament, the Executive and the people that is at the heart of the Australian system of government.[104]

3.69 The Law Council was also concerned that although the EM asserts that the Bill 'does not affect the distinction between law enforcement and intelligence functions' whereby 'arrests and prosecutions will remain a matter for police and prosecutorial authorities' and 'ASIO's primary function will remain gathering and analysing intelligence', it was unclear how the 'distinction between law enforcement and intelligence functions' could be guaranteed.[105] This is particularly the case as 'proposed section 19A does not require any nexus between the type of work that ASIO staff may do for other agencies and ASIO's existing functions'.[106]

3.70 NSW Council for Civil Liberties also raised concerns with Schedule 6 noting:

[i]t is vitally important that the functions of the security and intelligence bodies are so far as possible kept distinct from those of the law enforcement agencies—that ASIO for instance is not inappropriately involved in police work; that it does not become Australia's secret police.[107]

Proposal to require reporting on new powers and review mechanisms

3.71 NSW Council for Civil Liberties suggested that, if Schedule 6 is to remain in the Bill, an additional safeguard should be included to provide:

[e]ach year, a report ... be made to the Attorney General and the Parliament concerning the number of interceptions and accessions to stored communications in which ASIO (or ASIS, DSD or DIGO) have been asked to assist the law enforcement bodies, the agencies assisted, the crimes being investigated, the use of the information in evidence and the convictions which have resulted.[108]

3.72 In addition to the suggestion that a report be made to Parliament each year, the Information Commissioner also suggested that a statutory review mechanism be included in Schedule 6 of the Bill to allow the operation of the information sharing arrangements to be reviewed and assessed after a period of time.[109]

Concerns about enabling ASIO to communicate information in relation to serious crimes

3.73 The Castan Centre stated that the 'conduct to which the information relates need no longer be an offence against an Australian law, but only conduct which, were it committed within Australia, would be a criminal offence.'[110] Its view was that these amendments could result in ASIO becoming involved in criminal investigations of Australians overseas and communicating that information to Australian authorities. It was also concerned that it may enable ASIO to communicate 'to customs or immigration officials information about individuals' undertaking acts that 'are prohibited in Australia but legal in the overseas country where [they] took place'.[111]

Department response

3.74 In a response to these concerns on notice, the Department drew attention to the information provided by Mr David Fricker of ASIO at the public hearing:

These are serious decisions made at the most senior levels of ASIO about what is and what is not the national interest. These are traditional judgments. These are judgments which have always been made by the Director-General of Security. I do not want to leave this committee with the view that we are now going to have a spin-off line of business that with every warrant we have we must produce something for other agencies. It is not that at all. These are serious considerations about what goes to the national interest.[112]

Definitions of 'law enforcement agency' and 'national interest'

3.75 The lack of definition of the 'law enforcement agency' and the 'national interest' raised a number of concerns for submitters.

3.76 The Privacy Foundation argued:

[i]n the context of the proposed amendments to the ASIO Act, the new definition [of 'law enforcement agency'] is far too broad, and should be limited to a finite list of specified agencies set out, for these purposes either in the ASIO Act or in the TIA Act...This list should not include the wide range of agencies that may have incidental 'investigatory and enforcement powers' – which would be most government agencies.[113]

Concerns over which agencies are 'law enforcement agencies'

3.77 The Law Council was also concerned that the definition of 'law enforcement agency' was broad enough to enable ASIO to share information with agencies including the Australian Tax Office, Centrelink and the Australian Securities and Investment Commission in relation to 'possible breaches of the laws those agencies administer'.[114]

What is the 'national interest'?

3.78 The Law Council was also concerned about how the 'national interest' is to be interpreted.[115] This issue was also raised by the Privacy Foundation [116] and the Castan Centre.[117] The Castan Centre's submission stated that, because ASIO must be satisfied that 'the national interest requires communication of that information',[118] it is hard to estimate the effect of this provision because it depends upon ASIO's understanding of the 'national interest'. The Castan Centre's view was that the amendment would enable:

...ASIO to communicate information that it obtains about non-violent political activities, where ASIO forms the view that such demonstrations or protests could lead to economic disruption, or to disruption of high-level government activities (such as diplomatic gatherings), and that such disruption would be contrary to the national interest. This could extend beyond protest or demonstrations to (for example) political advertising campaigns that appeared to threaten the national interest. Furthermore, such information could be communicated not only to police forces, but (for example) to State departments or instrumentalities concerned with the activity that ASIO fears will be disrupted.[119]

3.79 While the Castan Centre's submission also noted that section 17A of the ASIO Act, which provides that ASIO 'shall not limit the right of persons to engage in lawful advocacy, protest or dissent', was unaffected, the Castan Centre was concerned these amendments have 'the potential to chill political activity by creating a possibility ...that information about political activity deemed contrary to the national interest will be communicated by ASIO to other agencies and authorities'.[120]

Department response

3.80 When the Department was asked to provide examples in which exchange of information in the national interest could occur, the departmental representative stated:

[o]ne example is the ability to pass information on to the people who administer the Migration Act. Another example might be the Taxation Office, where ASIO comes across an absolutely huge taxation fraud which would affect government revenue and your ability to look after the community by reducing revenue—the Project Wickenby task force is an example. It is quite possible for an agency like ASIO as part of its normal functions to come across something relevant to that. As we know, people that ASIO might be interested in under its normal functions are sometimes involved in other illegal activities.[121]

3.81 In response to concerns raised in submissions about what the 'national interest' is, the Department advised:

[t]he term 'national interest' is used in other contexts in Commonwealth legislation where it is not defined [for example, the Trade Practices Act 1974]. Courts, when considering decisions made on grounds of national interest in other contexts, have generally expressed views indicating that the primary determination of what is in the national interest is for the Minister.[122]

Prescription by regulation

3.82 The Privacy Foundation argued that the provision for other agencies to be prescribed by regulation gives an unacceptable level of discretion to the Executive. Further:

[m]ajor decisions on policy settings, such as in this case the determination of which agencies – including non-law enforcement agencies – can get the benefit of national security and national intelligence agency assistance, should remain the prerogative of Parliament to make in the legislation itself.[123]

3.83 The Law Council was also concerned by the ability to prescribe agencies by way of regulation. When asked by the committee what the Law Council's views were on this matter, Ms Donovan stated that, '[i]n many situations, the most appropriate legislative response is going to be to have an exhaustive list of agencies. I do not think it is that onerous or cumbersome to list those'.[124]

Department response

3.84 When the Department was asked about whether Commonwealth and state authorities should be named in the legislation, rather than by regulations, the departmental representative responded:

[a]s you know, the legislative program is very busy and it takes some time to do that. Sometimes you may have an emergency situation where listing the correct organisation quickly might well impact on things operationally. Of course, the parliament can disallow the regulations which provide the listings.[125]

Creation of a comprehensive privacy framework

3.85 The Information Commissioner suggested that a privacy framework be developed to support the information sharing arrangements set out in Schedule 6 of the Bill:

[t]his framework could be established through the development of a memorandum of understanding between participating agencies. The framework could include personal information handling guidelines covering the collection, use, disclosure, accuracy, complaint handling, storage, security, retention and destruction of personal information that falls within the scope of the information sharing arrangements.[126]

3.86 During the public hearings, the Australian Privacy Commissioner, appearing for the Information Commissioner, was asked whether the guideline should be a legislative instrument or simply a guideline to assist stakeholders.[127] In response to this question on notice, the Privacy Commissioner advised:

[t]here are various mechanisms that could be adopted to achieve consistent and uniform privacy guidelines across all jurisdictions. The Bill could contain in the applicable Schedules a clause specifically requiring the creation of privacy guidelines. Such a provision could identify those privacy issues to be covered in the guidelines and specify the accountability mechanism. Adopting this approach would provide Parliament with an express role in determining privacy protections. Alternatively, guidelines could be prescribed by way of regulation.

Another option could be for the development of a set of guidelines that could build upon existing privacy frameworks. These existing frameworks may need to be reviewed and amended to ensure they are best able to address any privacy issues arising out of the Bill and are consistent across jurisdictions. These guidelines could also apply through memorandums of understanding in those jurisdictions where there is no comparable privacy framework.[128]

Department's response

3.87 The Department's view is that there are already sufficient safeguards provided and there is no need to further develop personal information handling guidelines.[129] The Department also emphasised that unauthorised communication of information by an officer of ASIO is an offence.[130]

Other issues

Prospective access to telecommunications data in missing persons cases

3.88 NSW Police suggested an additional amendment be included in the Bill to:

...enabl[e] law enforcement agencies to gain authorised prospective access to telecommunications data pursuant to Section 180 of the Telecommunications Interception and Access Act 1979. Prospective access to this kind of information will allow police to use real-time information to ascertain the current whereabouts of missing persons as opposed to having to rely on data available only up until the time at which the missing person notification was made.[131]

3.89 When asked about this at the public hearing, the AFP indicated its support for the proposal. The AFP later clarified that it agreed with the statements made by the NSW Police about the current state of the law, however legislative amendment is a matter for government.[132] The AFP indicated that it supported Schedule 3 as it was proposed in this Bill.[133]

Telecommunications interference in an investigation

3.90 The AFPA also suggested an additional amendment:

[c]urrently the TIA Act does not specifically allow law enforcement agencies to interfere with the telecommunication devices of a person of interest in an AFP investigation. This type of necessary interference may include temporarily deactivating the international roaming capabilities of a specific phone with an Australian carrier; or temporarily blocking an outgoing phone signal at an examination facility.

The AFP recommends that an amendment should be made to the Telecommunications (Interception and Access) Act [1979] to specifically allow enforcement agencies to interfere with telecommunication devices of persons of interest to an AFP investigation where it is important to disrupt their communication with other members of a criminal syndicate or terrorist group in order to preserve evidence or potentially prevent a criminal act or terrorist act occurring.[134]

Explanatory Memorandum

3.91 The Information Commissioner, the Privacy Foundation and the Law Council expressed concerns about the quality of the EM.[135] The Communications Alliance raised the need for clarification around their reporting requirements. Further, the Information Commissioner indicated that the EM could specifically detail where privacy issues may arise within the context of these amendments to assist issuing authorities when considering factors under subsection 116(2) of the Telecommunications (Interception and Access) Act 1979.[136]

3.92 The extensive additional information provided by the Department on 19 November 2010,[137] while of great assistance to the committee, indicates the clear deficiencies in the EM. The committee considers that much of the material provided by the Department should have been included in the EM to provide guidance when considering the Bill.

Office of the Privacy Commissioner's 4A Framework

3.93 The Information Commissioner suggested that utilising the former Office of the Privacy Commissioner's 4A Framework[138] could assist in ensuring the proposed amendments in the Bill only apply in circumstances where it is necessary and proportionate to facilitate information sharing between intelligence and law enforcement agencies undertaking their legitimate functions.[139]

Lack of consultation and imperative for the Bill

3.94 The committee notes the apparent lack of consultation with affected bodies and key stakeholders, such as the Communications Associations and the Law Council, in the development of the Bill. At the public hearing, Ms Helen Donovan from the Law Council asserted:

Our position is that the bill should not be passed—that [Items 12 and 17 of Schedule 6] of the bill, at least, should not be passed—until adequate explanation is provided as to why they are necessary and how they are intended to be used.[140]

3.95 In response to these concerns, the representative from the Department told the committee that there had been some opportunity for comment by stakeholders:

I think the bill was introduced some time in June. So it has been out there for quite a long time. It is not as if people have not had an opportunity to digest what was in it. It is the case that we often do much more comprehensive consultation processes. An example of that is that national security legislation and our purple discussion paper. That is for much more comprehensive and substantial changes. Sometimes with amendments like these which in our mind are not of the same nature, we do not have a particularly ornate process.[141]

3.96 The departmental representative also indicated that there is an imperative to pass this legislation quickly and that, during the 2009-10 budget, funding of $100 million over four years was allocated for telecommunications interception.[142] Part of this money was provided for ASIO to assist the ACC and the Australian Commission for Law Enforcement Integrity with telecommunications interception capabilities on a pilot basis to address future technological challenges.

3.97 The National Interception Technical Assistance Centre pilot program commenced on 1 July 2010 and is intended to operate for two years.[143] The pilot program will involve ASIO, with assistance from the AFP, providing 'coordinated technical assistance to other Australian interception agencies by providing a central point of reference from which agencies can receive technical assistance to help keep pace with technical change'.[144]

3.98 The departmental representative stated that some parts of the pilot could not be implemented without passage of this Bill, and also noted that some legislative gaps had been identified following the incident on Northwest Airlines Flight 253 in December 2009.[145]

Committee view

3.99 The committee understands and appreciates the importance of ensuring that Australia's national security agencies and law enforcement agencies have access to the best information and technical expertise available. It also acknowledges that this Bill will be important in enabling greater cooperation, assistance and information sharing between national security and law enforcement agencies, and is strongly supported by key stakeholders in that community.

3.100 However, the committee is mindful of concerns raised by a significant number of submitters in relation to the broadening of security agencies' powers and the need to balance the 'public interest in law enforcement and national security agencies sharing information to facilitate their legitimate activities and the public interest in protecting the personal information of individuals'.[146]

3.101 Submissions to this inquiry, while generally supportive of the broader approach, have suggested that there may be less intrusive ways of achieving a similar outcome, with greater protections being provided to the privacy of individuals and without increasing the regulatory burden on business in relation to Schedule 2 of the Bill. As the Information Commissioner noted:

[b]y implementing high standards of personal information handling law enforcement and national security agencies can help maintain information quality and assist in maintaining the integrity of investigations and inquiries. This will deliver better outcomes as well as promote community trust and confidence in the sharing of personal information by law enforcement and national security agencies.[147]

3.102 The committee also considers it to be unfortunate that some of the issues identified in this inquiry were not previously canvassed due to limited, if any, consultation with key stakeholders outside the national security and law enforcement community. The committee expresses concern about the lack of explanation provided in the EM to the Bill and is of the view that much of the information provided in the Department's answers to questions on notice and supplementary material should have been included in the EM.

3.103 The committee appreciates the efforts of submitters and witnesses, in particular the Communications Associations, the Law Council, the Information Commissioner and the Ombudsman, for raising potential issues in relation to the Bill's drafting, operation and impact, and puts forward recommendations to address some of these issues.

Recommendation 1

3.104 The committee recommends that the Attorney-General's Department revise and reissue the Explanatory Memorandum to the Bill to:

provide greater clarification to carriers and nominated carriage service providers about their reporting requirements under the Telecommunications (Interception and Access) Act 1979;
specifically detail where privacy issues may arise within the context of these amendments to assist issuing authorities when considering factors under subsection 116(2) of the Telecommunications (Interception and Access) Act 1979; and
address what the existing legislation already provides for and explain why those existing provisions do not adequately meet the operational requirements of intelligence and law enforcement agencies.

Recommendation 2

3.105 The committee recommends that, consistent with further clarification being provided in the Explanatory Memorandum as outlined in Recommendation 1, guidelines be developed by the Attorney-General's Department to provide further clarification to carriers and nominated carriage service providers about their reporting requirements under Schedule 2 of the Bill.

Recommendation 3

3.106 Subject to the above recommendations, the committee recommends that the Senate pass the Bill.

Senator Trish Crossin
Chair

Navigation: Previous Page | Contents | Next Page