Chapter 3
Key issues
3.1
A number of submissions supported the Bill, including submissions from
the Australian Federal Police Association (AFPA), New South Wales (NSW) Police,
Victoria Police, the Tasmanian Commissioner of Police and the Northern
Territory Government.[1]
3.2
However, many organisations were concerned by aspects of the Bill. In a
joint submission, the Australian Communications Alliance, the Australian Mobile
Telecommunications Association and the Internet Industry Association (Communications
Associations) welcomed many of the proposed amendments in Schedules 1, 3, 4, 5,
6 and 7, but opposed the amendments in Schedule 2.[2]
The NSW Council for Civil Liberties, the Australian Privacy Foundation (Privacy
Foundation) and the Castan Centre for Human Rights Law (Castan Centre) raised a
number of concerns about the provisions of the Bill, particularly in relation
to what they believe is a significant change to the role of security agencies
in Schedule 6.[3]
The Queensland Council of Civil Liberties endorsed the submission of the
Privacy Foundation.[4]
3.3
The Australian Law Reform Commission (ALRC), the Commonwealth Ombudsman
(Ombudsman) and the Office of the Australian Information Commissioner
(Information Commissioner) raised other issues in relation to the TIA Act,
particularly around privacy, record keeping and reporting.[5]
The Law Council of Australia (Law Council), rather than comment on any
particular aspect of the Bill, posed a number of questions about its intended
operation.[6]
Enabling ASIO to provide technical assistance to law enforcement agencies
in relation to telecommunications interception warrants (Schedule 1)
3.4
As outlined in Chapter 2, Schedule 1 will enable officers of the
Australian Security Intelligence Organisation (ASIO), or persons assisting ASIO
in the performance of its functions, to be authorised to exercise authority
under a telecommunications interception warrant on behalf of a law enforcement
agency.
Reporting obligations
3.5
The Information Commissioner supported the proposed amendments in Schedule
1 that seek to limit the use and disclosure of information intercepted by ASIO
on behalf of another agency, as well as the extension of reporting requirements
in the TIA to include interception warrants conducted by ASIO on behalf of
other enforcement agencies.[7]
Role of the Ombudsman
3.6
The Ombudsman submitted that his office's oversight of the use of covert
powers by law enforcement agencies 'provides an important safeguard and
assurance to the Commonwealth Parliament and the general community that these powers
are properly exercised.'[8]
3.7
The Ombudsman also reports annually to the Attorney‑General on the
compliance of law enforcement agencies with record keeping and destruction
requirements relating to telecommunications interceptions.[9]
Further, the Ombudsman reports compliance regarding access to stored
communications under the TIA Act, which may include non‑compliance by
officers of the law enforcement agencies.[10]
3.8
However, the Ombudsman has no authority in respect of ASIO and as a
result:
...interceptions undertaken by ASIO on behalf of other
agencies may not be subject to the same level of scrutiny.[11]
3.9
The Ombudsman's submission noted that where ASIO executes a warrant on
behalf of a law enforcement agency that the Ombudsman would normally inspect,
the Ombudsman will not be able to interrogate the agency's systems to ensure,
for example, that no interceptions occurred outside the period the warrant was
in force.[12]
Further, while oversight of ASIO is provided by the Inspector‑General of
Intelligence and Security (IGIS), the TIA Act does not require the IGIS to
inspect the records of ASIO in these circumstances.[13]
3.10
The Ombudsman indicated that discussions had taken place between his
office and the Attorney-General's Department (Department) and ASIO. His
understanding from those discussions is that the obligation for ASIO to provide
the particulars of the interception to the agency that sought the warrant would
enable these records to be available for inspection by his office.[14]
The Ombudsman stated that this would 'assist in retaining an adequate, albeit
different, oversight arrangement'.[15]
Department response
3.11
The Department's submission drew attention to the need for a
whole-of-government approach in relation to the challenges agencies acting
under interception warrants face from fast changing technology.[16]
3.12
At the public hearing, Mr David Fricker from ASIO reiterated:
[i]f Australia's national security capability is to be
maintained we have to position ourselves such that no agency is disadvantaged
because another agency has a technical capability which is unavailable to them
under their legal authority to undertake interception or investigative
activity. I think the clock is ticking for us to strategically position
ourselves, as a national security community, to make sure that this country's
interests are best served by the infrastructure that we have across the
national security community.[17]
3.13
The Department also emphasised the fact that the TIA Act currently
allows law enforcement agencies to enable officers of another interception
agency, except ASIO, to exercise the authority conferred by a
telecommunications warrant.[18]
The Department's submission was that the Bill will require ASIO to provide the
information necessary for law enforcement agencies to comply with their record
keeping and reporting obligations, and for records to be subject to inspection
by the Ombudsman.[19]
Provision of technical assistance
by ASIO
Concerns raised by the Information
Commissioner
3.14
The EM states that, while the proposed amendments will enable ASIO to 'provide
technical assistance to law enforcement agencies in relation to
telecommunications interception warrants issued to those agencies'.[20]
However, Item 5 of Schedule 1 does not contain any qualification that
would limit this authorisation to the provision of technical assistance. As a
result, the Information Commissioner suggested that Item 5 of Schedule 1 be
amended:
...to explicitly reflect the stated policy intention of
enabling the Australian Security Intelligence Organisation to provide technical
assistance to law enforcement agencies in relation to telecommunications
interception warrants issued to those agencies.[21]
Handling of personal information
Revision of guidelines issued to
ASIO on handling of personal information
3.15
Often personal information obtained through interception warrants will
not be covered by the Privacy Act 1988 (Privacy Act). Currently,
guidelines issued by the Attorney‑General under section 8A of the ASIO
Act provide guidance for ASIO on the handling of personal information. The
current guidelines were issued on 12 October 2007 by the then
Attorney-General, the Hon Philip Ruddock MP.[22]
The Information Commissioner suggested that, given the expansion of ASIO's
functions and powers, these guidelines should be reviewed.[23]
He also indicated his willingness to assist in the development of these
guidelines.[24]
3.16
The Information Commissioner also suggested that, in order to address
potential gaps in privacy coverage, guidelines for all national security and law
enforcement agencies on personal information handling practices should be developed.
These could cover, for example, the accuracy, storage, security, retention and
destruction of personal information. The ALRC's submission also drew the
committee's attention to the report of its inquiry into the provisions of the
Privacy Act, For Your Information: Australian Privacy Law and Practice
(ALRC Report 108).[25]
That report recommended that consistent privacy rules and guidelines should be
developed for Australia's intelligence agencies.[26]
3.17
In response to a question on notice taken at the public hearing, the
Department advised the committee that, under section 15 of the Intelligence
Services Act 2001 (IS Act), the Minister responsible for the Australian
Secret Intelligence Service (ASIS), Defence Signals Directorate (DSD), and
Defence Imagery and Geospatial Organisation (DIGO) 'must make written rules
regulating the communication and retention by the relevant agency, of
intelligence information concerning Australian persons'.[27]
These are known as the Privacy Rules.
3.18
The committee also notes that, once an internal review is undertaken by
relevant agencies and departments, there are legislative requirements that must
be complied with in issuing or revising these guidelines or rules. These include:
...to consult with certain persons, provide copies to the
Inspector-General of Intelligence and Security and the Leader of the
Opposition, and ...[brief]...the Parliamentary Joint Committee on Intelligence
and Security.[28]
Department response
3.19
When asked at the public hearing whether the guidelines issued by the
Attorney‑General under section 8A of the ASIO Act will need to be
reviewed, a representative from the Department stated:
...they will need to be reviewed in light of this legislation
but possibly even more so in light of other changes to privacy legislation
which are in the pipeline.[29]
3.20
When questioned by the committee in relation to consultation with key
stakeholders on the revised guidelines and the length of time for revision of
the guidelines, the department representative advised:
[consultation with stakeholders] is what I expect will be the
case and that would be something we would be recommending. The timing of it I
would have to take on notice. I have not really assessed how long it would
take...It is a little hard for me to give you a specific time frame, but I will
say it is something we would do as soon as practicable.[30]
3.21
The Department further advised the committee that '[c]ompliance with the
Attorney-General's Guidelines and Privacy Rules is subject to independent
oversight by the [IGIS]', who reports annually to the Parliament. The
Department concluded:
In light of the existing privacy regimes, the
Attorney-General's Department is of the view that additional privacy frameworks
or MOUs do not appear to be necessary. The existing privacy regimes will
continue to be reviewed and revised as appropriate to ensure they continue to
balance operational considerations with appropriate privacy protections.
...
It is also noted that the decision to issue new or revised
Attorney-General's Guidelines or Privacy Rules is a decision for the relevant
responsible Minister.[31]
Telecommunications industry requirement to inform of proposed changes
(Schedule 2)
3.22
The proposed amendments in Schedule 2 will require carriers and
nominated carriage service providers (C/NCSPs) to notify the Communication
Access Coordinator (CAC) if they intend to implement a change to a
telecommunications service or system that is likely to have an adverse effect
on the C/NCSP's capacity to comply with their obligations under the TIA Act or
the Telecommunications Act.[32]
Industry concerns
3.23
The Communications Associations strongly opposed the amendments proposed
by Schedule 2.[33]
While noting that 'ongoing changes in technology and Industry structure mean
that the legal interception regime may require adjustments from time to time',
the Communications Associations contended
that the proposed amendments in Schedule 2 will have a substantial impact on
industry, with little, if any, apparent benefit to agencies.[34]
Further:
[t]he Associations are concerned that Schedule 2 actually has
the potential to create a situation in which Agencies will be less able to
achieve their objectives, while also negatively impacting on Australian
businesses and consumers. This is because the requirements as drafted will
likely create a (more) uneven and non-technology-neutral playing field;
increase costs; delay and restrict product availability and rollout;
arbitrarily influence business partnership choices; and disadvantage
Australian-based suppliers relative to overseas suppliers. This may force
unregulated service providers (non C/NCSPs) to locate equipment outside of
Australia, thereby not only disadvantaging C/NCSPs, the Australian Industry and
consumers in a highly globalised environment but also resulting in a loss of
current interception capabilities. This scenario thus implies an undesirable
lose-lose situation.[35]
3.24
The Communications Associations were particularly concerned about the
requirement to provide notice of proposed changes, the breadth of matters that
will now have to be notified, and associated cost requirements for industry.[36]
3.25
The Attorney-General indicated in the second reading speech that it is
intended that early notification will assist C/NCSPs to meet their obligations
to assist interception agencies and avoid the need for costly alterations once
a change has been implemented.[37]
Breadth of proposed changes
3.26
Although the provisions are in part based on similar provisions that
were contained in Division 4 of Part 15 of the Telecommunications Act,[38]
which were removed in 2007, the earlier provisions appear narrower in scope
than the proposed provisions in Schedule 2. The previous section 332E of the
Telecommunications Act referred to C/NCSPs giving notice of 'a new technology,
or a change to existing technology'. However, Item 8 of Schedule 2 of the Bill
refers to 'a change that is proposed to a telecommunications service or a
telecommunications system'.
3.27
As noted in Chapter 2 of this report, a number of examples of such
changes are provided in the Bill, including outsourcing arrangements and the
purchase of equipment both in Australia and overseas, if it is likely to have a
material adverse effect on the capacity of the carrier or provider to meet its
obligations.[39]
3.28
The committee understands that the number of changes of which the
telecommunications industry would be required to notify the CAC under these
amendments may not be insignificant. As Mr Michael Ryan from Telstra
(appearing on behalf of the Communications Associations) advised the committee:
[m]y particular organisation, in our 2010 interception
capability plan, identified 104 new products and services which we would be
launching from the 2009-10 financial year. Of those, we identified 17 which
were brand new and which may have an impact on our interception capability
plan. Of the other 87 products and services, we determined that there would be
no impact or our existing capabilities would take care of that interception
obligation. We believe that schedule 2 is going beyond that and placing a
further large reporting burden on industry when in fact the interception
capability plan appears to be working quite well at the present time.[40]
3.29
In response to a question on notice taken at the public hearing, the
Communications Associations set out how it sees the differences between the
provisions that had been in the Telecommunications Act up until 2007 and
Schedule 2 of the Bill.[41]
The Communications Associations reiterated its staunch opposition to Schedule
2:
Contrary to what has been implied by the evidence presented
by the [Department]...and the Department of Broadband, Communications and the
Digital Economy, the proposed bill does not merely re-instate previous
arrangements [it]...considerably extends and broadens the obligations of the
existing Telecommunication Act.[42]
3.30
The Communications Associations also asserted that currently there are
between zero and four formal updates, with an average of less than two, which
is supplemented by 50-60 informal briefings to agencies each year.[43]
The Communications Associations stated further:
[o]ne organisation advised that the new proposals would
potentially generate over 500 notifications per year: 500 projects per year
would need to be reviewed and potentially reported upon, based on current
projects (over last 12 months); plus there are another 50-60 network equipment
purchases that would have to be considered and added into the reporting
process.
A second organisation presented similar figures, noting that
approximately 350 projects in the past 12 months had required some Legal
Intercept assessment/review. The extension of requirements to IT and
outsourcing projects (currently excluded from requirements) would further
increase the number of notifications required.[44]
3.31
The Department advised the committee that CAC usually receives less than
'5 updated ICPs per annum pursuant to section 201'.[45]
However, the Department also noted that 'this does not reflect the full number
of changes to services or networks which affect legal obligations and therefore
warrant notification'.[46]
Costs
3.32
The Communications Associations were concerned that the proposed
amendments would place a cost burden on the industry, commenting:
[the EM] also states that the changes will have no financial
impact. The Associations dispute this statement, given the significantly
increased administrative burden, the possible delays to market, veto of product
launch, distortion of competition etc. Further, as explained in the
Associations submission, the provisions may prevent a C/NCSP from realising
cost savings through outsourcing, or cheaper service or equipment supply.[47]
3.33
The cost requirement for the industry was also raised by the Privacy
Foundation, who indicated:
...the scope of the new requirement is not clear but it would
appear to be an onerous burden on C/NCSPs too, requiring them unreasonably to 'speculate'
about the possible effects of changes and whether they might have a 'material
adverse effect' on capacity to comply with interception related obligations'.[48]
Concerns about lack of industry
consultation
3.34
The Communications Associations asserted that they had complied with
their current obligations under the TIA Act:
Presently, the larger providers in the telecommunications
industry have a very good and cooperative approach, regularly meeting with and
talking to the agencies to brief them on new technologies and advances in
telecommunications services and applications. This is in addition to—particularly
with my organisation—our weekly meetings with the agencies to talk to their
technical staff on operational and engineering issues that may impact on our
capability to respond to agency requests. We also update, on a regular basis,
the agencies, particularly at the Communications Security and Enforcement
Roundtable, which is run by the ACMA, and also the expert group, which a lot of
our senior managers attend on a regular basis.[49]
3.35
The Communications Associations also expressed their 'concern and disappointment
that Government endorsed regulatory development processes have not been
followed and [that] no Industry input has been sought in the drafting stage of
this Bill'.[50]
As a result, they sought that Schedule 2 be delayed, arguing:
...no demonstrated need exists for the far reaching proposed
changes in Schedule 2. Instead minor amendments to the existing interception
regime would constitute a more efficient and effective approach to a reasonable
and sustainable interception regime.[51]
...
[The proposed amendments] should not be progressed at this
time and ought to be re-drafted to address the [concerns outlined in the
submission], using the Government's regulatory development process, including
industry consultation.[52]
Other industry concerns
3.36
The Communications Associations raised a range of other concerns with
the proposed amendments, including transparency, a lack of oversight of CAC
actions,[53]
a lack of provisions designed to protect the commercial confidentiality of
C/NCSPs,[54]
and the cost impact on industry.[55]
It was also unclear as to whether 'material adverse effect' was an objective
assessment to be made by C/NCSPs.[56]
As previously noted in Chapter 2, there is also an absence of sanctions for
agencies who fail to protect C/NCSPs' commercial confidentiality.
3.37
In response to a question on notice, the Communications Associations
provided the committee with some proposed amendments to Schedule 2 that would
ensure that some confidentiality provisions were inserted in the Bill.[57]
They also proposed excluding proposed content changes from the operation of
this Schedule.[58]
Department response
3.38
Despite not having detailed this matter in the EM, second reading speech
or its initial submission to the committee, the representative from the
Department was able to advise the committee:
...there have been incidents where the industry just had not
identified that they have got a problem with their new technology. Then we have
a terrible situation in terms of retrofitting it to make sure they do comply,
to make sure that they have got the right technical solutions for interception,
and it ends up costing them more. This is a measure which will just require
them to write a letter or just advise us: 'We're moving to this technology.
This is what we're planning to do'...So all they have got to do is give us a
letter and outline what some of their plans are. It is not burdensome.[59]
3.39
In response to a question taken on notice, the Department advised
further that there have been several occasions:
...where carriers or their third party outsource providers
have committed to changes without timely consultation with agencies. This has
resulted in avoidable and costly re-working.[60]
3.40
Without having further information available about the types of issues
that have arisen, it is difficult for the committee to assess the concerns of
the Communications Associations. This point was also observed by the
Communications Associations, which stated:
[t]he explanatory memorandum for the Bill maintains that the
current procedure is considered inadequate as it only provides for notification
of changes after they are about to happen. It does not mention any inadequacies
relating to the scope of the current arrangements.[61]
3.41
The Department was asked at the public hearing about whether the
provisions in Schedule 2 could be amended to better express the requirement for
industry to advise the CAC of particular matters.[62]
On notice, the Department advised the committee that it did not consider
changes to be required.[63]
Disclosure of telecommunications data in relation to missing persons
(Schedule 3)
3.42
Schedule 3 proposes to amend the TIA Act to insert a new exception to
allow an authorising officer of the AFP or a state police force to authorise
disclosure of telecommunications data when the officer is satisfied that the disclosure
is reasonably necessary for the purposes of finding a missing person. However,
information may not be disclosed to the person who filed the report except:
- with the missing person's consent;
-
to prevent a threat to the missing person's health, life or
safety if the missing person is unable to consent; or
- if the missing person is deceased.
3.43
The committee notes that 'telecommunications data' is information about
a telecommunication but does not include the content of the communication
itself (for example, a list of telephone numbers dialled).[64]
Historical telecommunications data can be accessed by an enforcement agency
under the TIA Act for the purposes of the enforcement of a criminal law, a law
imposing a pecuniary penalty or the protection of the public revenue.[65]
Prospective telecommunications data (data that will exist in the future) may be
accessed by a 'defined criminal law enforcement agency for the investigation of
a criminal offence punishable by imprisonment for at least three years'.[66]
Offences exist for inappropriately disclosing or otherwise using the
information, and agencies are required to keep records of access.[67]
Privacy concerns
3.44
Both the Information Commissioner and the Privacy Foundation raised a
number of privacy issues in relation to the proposal to enable the disclosure
of telecommunications data about missing persons.
3.45
The Privacy Foundation argued that:
...it is not
clear how, if the use of relevant information for the purposes of missing
person investigations is to be subject to an overriding 'consent' condition,
why the amendments are necessary, as consent is already an exception to the
non-disclosure provisions of the Telecommunications Act. Item 5 suggests that
disclosure of missing persons information will be authorised without consent
where consent is impracticable, but again, there are existing exceptions in the
Telecommunications Act which address situations where safety, life or health
are at risk.[68]
Proposed amendments to Schedule 3
3.46
The Information Commissioner suggested a number of amendments be made to
Schedule 3 of the Bill to enhance the privacy safeguards:
[t]he Office is of the view that authorising the disclosure
of telecommunications data for public safety purposes represents an expansion
in the scope of the TIA Act and should be carefully considered.
...The Office is concerned that, if the purposes for which
telecommunications data can be disclosed is extended to public safety purposes
in this instance, then in the future other additional public safety purposes
may be identified as warranting a similar approach. Over time this could lead
to 'function creep' potentially diminishing privacy protections surrounding
communications between individuals.[69]
3.47
The proposed amendments suggested by the Information Commissioner
include:
-
using terminology consistent with that used in Australian Privacy
Principle 6(2)(g);
- providing more detailed guidance in the EM or in any binding rules
or guidelines on issues surrounding consent, such as determining capacity and
establishing whether implied consent was obtained;
- inserting the word 'serious' before the word 'threat' in proposed
new subparagraph 182(2A)(b)(ii) of the TIA Act; and
-
including in Schedule 3 of the Bill a statutory review mechanism
for the missing person provisions.[70]
3.48
The Information Commissioner also suggested that a set of binding rules
or regulations be introduced to apply to the handling of telecommunications
data related to missing persons. The Information Commissioner recommended that
this guidance could reflect the government's First Stage Response[71]
to the ALRC's recommendations in its report on the Privacy Act.[72]
In that response, the government stated that an express exception to the use
and disclosure privacy principle should apply for the purpose of locating a
reported missing person. However, in recognition of the sensitivities
associated with missing persons, any missing persons' exceptions should be made
in accordance with binding rules issued by the Privacy Commissioner.[73]
3.49
At the public hearing, Ms Helen Donovan from the Law Council endorsed
these suggestions of the Information Commissioner.[74]
Department response
3.50
The Department's submission indicated that, because missing person
information can only be disclosed to the person who made the report if the
missing person consents, is deceased or to prevent a threat to the missing
person's health, life or safety:
[t]hese restrictions will ensure that the privacy of the
missing person is respected and the information is only disclosed without the
consent of the missing person if it is for their benefit.[75]
3.51
Further, the Department advised the committee of another safeguard,
namely that agencies will be required to report on the number of authorisations
in relation to missing persons made by their agency.[76]
In addition, unauthorised disclosure or use of information is an offence
punishable by two years imprisonment.[77]
Stored communications warrants in relation to victims of serious
contraventions (Schedule 4)
3.52
The proposed amendments in Schedule 4 clarify that a stored
communications warrant can be obtained to access the stored communications of
both the offender and the victim of a serious contravention.[78]
3.53
The Ombudsman's submission stated that he is 'of the view that the TIA
Act does not presently allow a warrant to be sought in respect of a victim of a
serious contravention'. Accordingly, he welcomed the amendment proposed by
Schedule 4.[79]
Concerns about compliance in
accessing stored communications
3.54
While supportive of the amendment, the Ombudsman noted that this 'is but
one of a number that are required in order to bring some clarity to a regime
with significant compliance issues identified by my office'.[80]
3.55
The Ombudsman's submission also observed that during 2009-10, he carried
out 17 inspections of stored communications records maintained by 14 agencies,
including the AFP, the Australian Crime Commission (ACC), the Australian
Securities and Investments Commission, the NSW Crime Commission, NSW Police,
Queensland Police, Queensland Crime and Misconduct Commission, South Australia
Police, Tasmania Police, Victoria Police, the Victorian Office of Police
Integrity, Western Australia Police, the Corruption and Crime Commission (Western
Australia) and the Australian Customs and Border Protection Service.[81]
3.56
The level of compliance by the AFP and the ACC with the requirements of
the TIA Act in respect of telecommunications interception is generally high,[82]
however the Ombudsman also identified a number of significant issues regarding
compliance with the relevant provisions of the TIA Act in relation to access to
stored communications, which were outlined in his report to the Attorney‑General
in 2008‑09.[83]
Proposal to provide guidance to
assist law enforcement agencies
3.57
The Information Commissioner suggested that guidance, in the form of
binding rules or regulations, should be developed to assist law enforcement
agencies to determine when a person is unable to consent or when it may be
impracticable to gain the consent under the proposed amendments in Schedule 4.[84]
3.58
The Information Commissioner also suggested that the EM to the Bill
should expressly identify where privacy issues may arise to provide assistance
to the issuing authority when considering the factors set out in subsection
116(2) of the TIA Act.[85]
Department response
3.59
At the public hearing, the Department was asked to respond to the
Information Commissioner's comments about whether the EM should be clarified in
order to provide guidance on situations when it may be impracticable to provide
consent.[86]
3.60
In its response, the Department advised the committee that '[i]t was not
thought necessary for the [EM] to be too prescriptive about those issues, as it
is a question of fact to be determined in the circumstances of each case.'[87]
The Department commented that '[t]he decision is a matter for the issuing
authority, who should have sufficient flexibility to make a decision about the
circumstances relating to victim notification in individual applications.'[88]
3.61
The Department also drew the committee's attention to subsection 116(2),
which sets out the matters that the issuing authority must consider before
issuing a stored communications warrant, which are not affected by these
proposed amendments.[89]
The section provides:
(2) The matters to which the issuing authority must have
regard are:
(a) how much the privacy of any person or persons would be
likely to be interfered with by accessing those stored communications under a
stored communications warrant; and
(b) the gravity of the conduct constituting the serious
contravention; and
(c) how much the information referred to in paragraph (1)(d)
would be likely to assist in connection with the investigation; and
(d) to what extent methods of investigating the serious
contravention that do not involve the use of a stored communications warrant in
relation to the person have been used by, or are available to, the agency; and
(e) how much the use of such methods would be likely to
assist in connection with the investigation by the agency of the serious
contravention; and
(f) how much the use of such methods would be likely to
prejudice the investigation by the agency of the serious contravention, whether
because of delay or for any other reason.[90]
Cooperation, information sharing and other assistance between intelligence and
law enforcement agencies (Schedule 6)
Law enforcement and national
security functions
3.62
Schedule 6 was considered by submitters and witnesses to be the most
contentious part of the Bill. This Schedule proposes to provide ASIO, ASIS, DSD
and DIGO with a new function of cooperating with and assisting each other, and with
prescribed Commonwealth and state authorities. Regulations will be used to
prescribe authorities of the Commonwealth or of a state to enable the national
security agencies to cooperate with and assist those bodies in the future.[91]
3.63
In addition, the Bill proposes to enable ASIO to cooperate with and
assist law enforcement agencies in the performance of their functions. 'Law
enforcement agency' is defined quite broadly.[92]
The EM indicates that this definition is intended to cover a wide range of
agencies, including 'other bodies that have functions connected
with law enforcement, such as integrity and corruption agencies and also other
agencies with investigatory and enforcement powers with respect to Commonwealth
and State laws'.[93]
3.64
The Bill also proposes amendments to the communication provisions in the
ASIO Act to enable the Director-General to communicate information that has
come into the possession of ASIO in the course of performing its functions, to
specified persons in specified circumstances.[94]
The circumstances where information may be communicated are where:
-
the information relates, or appears to relate, to the commission,
or intended commission, of a serious crime;[95]
or
-
the Director-General, or a person authorised for the purpose by
the Director‑General, is satisfied that the national interest requires
the communication.[96]
3.65
The Department has advised the committee that while ASIO has both
intelligence and assessment functions, 'ASIS, DSD and DIGO have functions
relating to foreign intelligence production but not assessment'.[97]
The Department stated that this 'can result in limitations on the cooperation
or assistance which the latter agencies can provide to ASIO in relation to its
security intelligence assessment functions' in addition to having implications
for 'multi-agency teams and taskforces that have assessment related roles'.[98]
Further:
agencies under the IS Act have functions that concern
'intelligence about the capabilities, intentions or activities of people or
organisations outside Australia' as relevant to Australia's national security,
foreign relations or national economic wellbeing...ASIO's functions relate to
security...threats to Australia and Australian interests. [99]
Need to retain distinct roles of national security and law
enforcement agencies
3.66
The Privacy Foundation expressed 'the most serious concern about this
Bill',[100]
suggesting that the Bill's 'effect is to destroy the hitherto carefully
maintained separation between the roles of national security and law
enforcement'.[101]
Further:
[t]he Bill comes close to giving a very wide range of
enforcement agencies (and not just those engaged in criminal law enforcement)
access to the same extraordinary powers that have rightly been limited, to
date, to a few specialised agencies with narrow and targeted functions.[102]
3.67
The Privacy Foundation also noted that '[w]hile some residual barriers
remain or are re‑asserted in the Bill, they are seriously weakened'.[103]
3.68
Similar concerns were raised by the Castan Centre:
[Schedule 6 would] significantly broaden the scope for
Australian intelligence organisations – including organisations [which]
hitherto have had a statutory obligation to confine their operations primarily
to people and organisations outside Australia – to become participants in
domestic governmental functions, including but not limited to domestic law
enforcement. This has implications for privacy, for the political independence
of law enforcement bodies, and for the relationship between Parliament, the
Executive and the people that is at the heart of the Australian system of
government.[104]
3.69
The Law Council was also concerned that although the EM asserts that the
Bill 'does not affect the distinction between law enforcement and intelligence
functions' whereby 'arrests and prosecutions will remain a matter for police
and prosecutorial authorities' and 'ASIO's primary function will remain
gathering and analysing intelligence', it was unclear how the 'distinction
between law enforcement and intelligence functions' could be guaranteed.[105]
This is particularly the case as 'proposed section 19A does not require any
nexus between the type of work that ASIO staff may do for other agencies and
ASIO's existing functions'.[106]
3.70
NSW Council for Civil Liberties also raised concerns with Schedule 6
noting:
[i]t is vitally important that the functions of the security
and intelligence bodies are so far as possible kept distinct from those of the
law enforcement agencies—that ASIO for instance is not inappropriately involved
in police work; that it does not become Australia's secret police.[107]
Proposal to require reporting on
new powers and review mechanisms
3.71
NSW Council for Civil Liberties suggested that, if Schedule 6 is to
remain in the Bill, an additional safeguard should be included to provide:
[e]ach year, a report ... be made to the Attorney General and
the Parliament concerning the number of interceptions and accessions to stored
communications in which ASIO (or ASIS, DSD or DIGO) have been asked to assist
the law enforcement bodies, the agencies assisted, the crimes being
investigated, the use of the information in evidence and the convictions which
have resulted.[108]
3.72
In addition to the suggestion that a report be made to Parliament each
year, the Information Commissioner also suggested that a statutory review
mechanism be included in Schedule 6 of the Bill to allow the operation of the
information sharing arrangements to be reviewed and assessed after a period of
time.[109]
Concerns about enabling ASIO to
communicate information in relation to serious crimes
3.73
The Castan Centre stated that the 'conduct to which the information
relates need no longer be an offence against an Australian law, but only
conduct which, were it committed within Australia, would be a criminal
offence.'[110]
Its view was that these amendments could result in ASIO becoming involved in
criminal investigations of Australians overseas and communicating that
information to Australian authorities. It was also concerned that it may
enable ASIO to communicate 'to customs or immigration officials information
about individuals' undertaking acts that 'are prohibited in Australia but legal
in the overseas country where [they] took place'.[111]
Department response
3.74
In a response to these concerns on notice, the Department drew attention
to the information provided by Mr David Fricker of ASIO at the public hearing:
These are serious decisions made at the most senior levels of
ASIO about what is and what is not the national interest. These are traditional
judgments. These are judgments which have always been made by the
Director-General of Security. I do not want to leave this committee with the
view that we are now going to have a spin-off line of business that with every
warrant we have we must produce something for other agencies. It is not that at
all. These are serious considerations about what goes to the national interest.[112]
Definitions of 'law enforcement
agency' and 'national interest'
3.75
The lack of definition of the 'law enforcement agency' and the 'national
interest' raised a number of concerns for submitters.
3.76
The Privacy Foundation argued:
[i]n the context of the proposed amendments to the ASIO Act,
the new definition [of 'law enforcement agency'] is far too broad, and should
be limited to a finite list of specified agencies set out, for these purposes
either in the ASIO Act or in the TIA Act...This list should not include the
wide range of agencies that may have incidental 'investigatory and enforcement
powers' – which would be most government agencies.[113]
Concerns over which agencies are
'law enforcement agencies'
3.77
The Law Council was also concerned that the definition of 'law
enforcement agency' was broad enough to enable ASIO to share information with
agencies including the Australian Tax Office, Centrelink and the Australian
Securities and Investment Commission in relation to 'possible breaches of the
laws those agencies administer'.[114]
What is the 'national interest'?
3.78
The Law Council was also concerned about how the 'national interest' is
to be interpreted.[115]
This issue was also raised by the Privacy Foundation[116]
and the Castan Centre.[117]
The Castan Centre's submission stated that, because ASIO must be satisfied that
'the national interest requires communication of that information',[118]
it is hard to estimate the effect of this provision because it depends upon
ASIO's understanding of the 'national interest'. The Castan Centre's view was
that the amendment would enable:
...ASIO to communicate information that it obtains about
non-violent political activities, where ASIO forms the view that such
demonstrations or protests could lead to economic disruption, or to disruption
of high-level government activities (such as diplomatic gatherings), and that
such disruption would be contrary to the national interest. This could extend
beyond protest or demonstrations to (for example) political advertising
campaigns that appeared to threaten the national interest. Furthermore, such
information could be communicated not only to police forces, but (for example)
to State departments or instrumentalities concerned with the activity that ASIO
fears will be disrupted.[119]
3.79
While the Castan Centre's submission also noted that section 17A of the
ASIO Act, which provides that ASIO 'shall not limit the right of persons to
engage in lawful advocacy, protest or dissent', was unaffected, the Castan
Centre was concerned these amendments have 'the potential to chill political
activity by creating a possibility ...that information about political activity
deemed contrary to the national interest will be communicated by ASIO to other
agencies and authorities'.[120]
Department response
3.80
When the Department was asked to provide examples in which exchange of
information in the national interest could occur, the departmental
representative stated:
[o]ne example is the ability to pass information on to the
people who administer the Migration Act. Another example might be the Taxation
Office, where ASIO comes across an absolutely huge taxation fraud which would
affect government revenue and your ability to look after the community by
reducing revenue—the Project Wickenby task force is an example. It is quite
possible for an agency like ASIO as part of its normal functions to come across
something relevant to that. As we know, people that ASIO might be interested in
under its normal functions are sometimes involved in other illegal activities.[121]
3.81
In response to concerns raised in submissions about what the 'national
interest' is, the Department advised:
[t]he term 'national interest' is used in other contexts in
Commonwealth legislation where it is not defined [for example, the Trade
Practices Act 1974]. Courts, when considering decisions made on grounds of
national interest in other contexts, have generally expressed views indicating
that the primary determination of what is in the national interest is for the
Minister.[122]
Prescription by regulation
3.82
The Privacy Foundation argued that the provision for other agencies to
be prescribed by regulation gives an unacceptable level of discretion to the
Executive. Further:
[m]ajor decisions on policy settings, such as in this case
the determination of which agencies – including non-law enforcement agencies –
can get the benefit of national security and national intelligence agency
assistance, should remain the prerogative of Parliament to make in the
legislation itself.[123]
3.83
The Law Council was also concerned by the ability to prescribe agencies
by way of regulation. When asked by the committee what the Law Council's views
were on this matter, Ms Donovan stated that, '[i]n many situations, the most
appropriate legislative response is going to be to have an exhaustive list of
agencies. I do not think it is that onerous or cumbersome to list those'.[124]
Department response
3.84
When the Department was asked about whether Commonwealth and state
authorities should be named in the legislation, rather than by regulations, the
departmental representative responded:
[a]s you know, the legislative program is very busy and it
takes some time to do that. Sometimes you may have an emergency situation where
listing the correct organisation quickly might well impact on things
operationally. Of course, the parliament can disallow the regulations which
provide the listings.[125]
Creation of a comprehensive privacy
framework
3.85
The Information Commissioner suggested that a privacy framework be
developed to support the information sharing arrangements set out in Schedule 6
of the Bill:
[t]his framework could be established through the development
of a memorandum of understanding between participating agencies. The framework
could include personal information handling guidelines covering the collection,
use, disclosure, accuracy, complaint handling, storage, security, retention and
destruction of personal information that falls within the scope of the information
sharing arrangements.[126]
3.86
During the public hearings, the Australian Privacy Commissioner,
appearing for the Information Commissioner, was asked whether the guideline
should be a legislative instrument or simply a guideline to assist
stakeholders.[127]
In response to this question on notice, the Privacy Commissioner advised:
[t]here are various mechanisms that could be adopted to
achieve consistent and uniform privacy guidelines across all jurisdictions. The
Bill could contain in the applicable Schedules a clause specifically requiring
the creation of privacy guidelines. Such a provision could identify those
privacy issues to be covered in the guidelines and specify the accountability
mechanism. Adopting this approach would provide Parliament with an express role
in determining privacy protections. Alternatively, guidelines could be
prescribed by way of regulation.
Another option could be for the development of a set of
guidelines that could build upon existing privacy frameworks. These existing
frameworks may need to be reviewed and amended to ensure they are best able to
address any privacy issues arising out of the Bill and are consistent across
jurisdictions. These guidelines could also apply through memorandums of
understanding in those jurisdictions where there is no comparable privacy
framework.[128]
Department's response
3.87
The Department's view is that there are already sufficient safeguards
provided and there is no need to further develop personal information handling
guidelines.[129]
The Department also emphasised that unauthorised communication of information
by an officer of ASIO is an offence.[130]
Other issues
Prospective access to
telecommunications data in missing persons cases
3.88
NSW Police suggested an additional amendment be included in the Bill to:
...enabl[e] law enforcement agencies to gain authorised
prospective access to telecommunications data pursuant to Section 180 of the
Telecommunications Interception and Access Act 1979. Prospective access to this
kind of information will allow police to use real-time information to ascertain
the current whereabouts of missing persons as opposed to having to rely on data
available only up until the time at which the missing person notification was
made.[131]
3.89
When asked about this at the public hearing, the AFP indicated its
support for the proposal. The AFP later clarified that it agreed with the
statements made by the NSW Police about the current state of the law, however
legislative amendment is a matter for government.[132]
The AFP indicated that it supported Schedule 3 as it was proposed in this Bill.[133]
Telecommunications interference in
an investigation
3.90
The AFPA also suggested an additional amendment:
[c]urrently the TIA Act does not specifically allow law
enforcement agencies to interfere with the telecommunication devices of a
person of interest in an AFP investigation. This type of necessary interference
may include temporarily deactivating the international roaming capabilities of
a specific phone with an Australian carrier; or temporarily blocking an
outgoing phone signal at an examination facility.
The AFP recommends that an amendment should be made to the Telecommunications
(Interception and Access) Act [1979] to specifically allow enforcement agencies
to interfere with telecommunication devices of persons of interest to an AFP
investigation where it is important to disrupt their communication with other
members of a criminal syndicate or terrorist group in order to preserve
evidence or potentially prevent a criminal act or terrorist act occurring.[134]
Explanatory Memorandum
3.91
The Information Commissioner, the Privacy Foundation and the Law Council
expressed concerns about the quality of the EM.[135]
The Communications Alliance raised the need for clarification around their reporting
requirements. Further, the Information Commissioner indicated that the EM could
specifically detail where privacy issues may arise within the context of these
amendments to assist issuing authorities when considering factors under
subsection 116(2) of the Telecommunications (Interception and Access) Act
1979.[136]
3.92
The extensive additional information provided by the Department on
19 November 2010,[137]
while of great assistance to the committee, indicates the clear deficiencies in
the EM. The committee considers that much of the material provided by the
Department should have been included in the EM to provide guidance when
considering the Bill.
Office of the Privacy
Commissioner's 4A Framework
3.93
The Information Commissioner suggested that utilising the former Office
of the Privacy Commissioner's 4A Framework[138]
could assist in ensuring the proposed amendments in the Bill only apply in
circumstances where it is necessary and proportionate to facilitate information
sharing between intelligence and law enforcement agencies undertaking their
legitimate functions.[139]
Lack of consultation and imperative
for the Bill
3.94
The committee notes the apparent lack of consultation with affected
bodies and key stakeholders, such as the Communications Associations and the Law
Council, in the development of the Bill. At the public hearing, Ms Helen
Donovan from the Law Council asserted:
Our position is that the bill should not be passed—that
[Items 12 and 17 of Schedule 6] of the bill, at least, should not be
passed—until adequate explanation is provided as to why they are necessary and
how they are intended to be used.[140]
3.95
In response to these concerns, the representative from the Department
told the committee that there had been some opportunity for comment by
stakeholders:
I think the bill was introduced some time in June. So it has
been out there for quite a long time. It is not as if people have not had an
opportunity to digest what was in it. It is the case that we often do much more
comprehensive consultation processes. An example of that is that national
security legislation and our purple discussion paper. That is for much more
comprehensive and substantial changes. Sometimes with amendments like these
which in our mind are not of the same nature, we do not have a particularly
ornate process.[141]
3.96
The departmental representative also indicated that there is an
imperative to pass this legislation quickly and that,
during the 2009-10 budget, funding of $100 million over four years was
allocated for telecommunications interception.[142]
Part of this money was provided for ASIO to assist the ACC and the Australian
Commission for Law Enforcement Integrity with telecommunications interception
capabilities on a pilot basis to address future technological challenges.
3.97
The National Interception Technical Assistance Centre pilot program
commenced on 1 July 2010 and is intended to operate for two years.[143]
The pilot program will involve ASIO, with assistance from the AFP, providing
'coordinated technical assistance to other Australian interception agencies by
providing a central point of reference from which agencies can receive
technical assistance to help keep pace with technical change'.[144]
3.98
The departmental representative stated that some parts of the pilot
could not be implemented without passage of this Bill, and
also noted that some legislative gaps had been identified following the
incident on Northwest Airlines Flight 253 in December 2009.[145]
Committee view
3.99
The committee understands and appreciates the importance of ensuring
that Australia's national security agencies and law enforcement agencies have
access to the best information and technical expertise available. It also
acknowledges that this Bill will be important in enabling greater cooperation,
assistance and information sharing between national security and law
enforcement agencies, and is strongly supported by key stakeholders in that
community.
3.100
However, the committee is mindful of concerns raised by a significant
number of submitters in relation to the broadening of security agencies' powers
and the need to balance the 'public interest in law enforcement and national
security agencies sharing information to facilitate their legitimate activities
and the public interest in protecting the personal information of individuals'.[146]
3.101
Submissions to this inquiry, while generally supportive of the broader
approach, have suggested that there may be less intrusive ways of achieving a
similar outcome, with greater protections being provided to the privacy of
individuals and without increasing the regulatory burden on business in
relation to Schedule 2 of the Bill. As the Information Commissioner noted:
[b]y implementing high standards of personal information
handling law enforcement and national security agencies can help maintain
information quality and assist in maintaining the integrity of investigations
and inquiries. This will deliver better outcomes as well as promote community
trust and confidence in the sharing of personal information by law enforcement
and national security agencies.[147]
3.102
The committee also considers it to be unfortunate that some of the
issues identified in this inquiry were not previously canvassed due to limited,
if any, consultation with key stakeholders outside the national security and
law enforcement community. The committee expresses concern about the lack of
explanation provided in the EM to the Bill and is of the view that much of the
information provided in the Department's answers to questions on notice and
supplementary material should have been included in the EM.
3.103
The committee appreciates the efforts of submitters and witnesses, in
particular the Communications Associations, the Law Council, the Information
Commissioner and the Ombudsman, for raising potential issues in relation to the
Bill's drafting, operation and impact, and puts forward recommendations to
address some of these issues.
Recommendation 1
3.104
The committee recommends that the Attorney-General's Department revise
and reissue the Explanatory Memorandum to the Bill to:
- provide greater clarification to carriers and nominated carriage
service providers about their reporting requirements under the Telecommunications
(Interception and Access) Act 1979;
- specifically detail where privacy issues may arise within the
context of these amendments to assist issuing authorities when considering
factors under subsection 116(2) of the Telecommunications (Interception and
Access) Act 1979; and
- address what the existing legislation already provides for and
explain why those existing provisions do not adequately meet the operational
requirements of intelligence and law enforcement agencies.
Recommendation 2
3.105
The committee recommends that, consistent with further clarification
being provided in the Explanatory Memorandum as outlined in Recommendation 1,
guidelines be developed by the Attorney-General's Department to provide further
clarification to carriers and nominated carriage service providers about their
reporting requirements under Schedule 2 of the Bill.
Recommendation 3
3.106
Subject to the above recommendations, the committee recommends that the
Senate pass the Bill.
Senator Trish Crossin
Chair
Navigation: Previous Page | Contents | Next Page