The Department of Home Affairs and the Department of Infrastructure, Transport, Regional Development and Communications have been criticised for not knowing how many agencies have been authorised to access telecommunications metadata without a warrant under Australia’s mandatory data-retention laws.
Powers under section 280 of the Telecommunications Act were used by state and federal agencies 8432 times in 2018-2019, the Parliamentary Joint Committee on Intelligence and Security heard on Friday. That figure was down from 11,976 in the previous year, according to a report from the Australian Communications and Media Authority.
While mandatory data retention laws permit just 21 agencies to access the metadata, more than 87 other entities — including councils, the Victorian Institute of Education, the RSPCA and the South Australian fisheries department — have used section 280 to gain access.
A submission from Home Affairs stated that a provision under section 280 has allowed agencies “outside of the data-retention scheme to use their own powers to seek access to this ‘if the disclosure is required or authorised under law'”.
“Many Commonwealth, state and territory organisations have their own ‘notice to produce’ powers, set out in their own enabling statute. As a result, these bodies can lawfully access telecommunications data under section 280, provided the request falls within their legislated powers. The Home Affairs Portfolio understands that section 280 is being used regularly to request telecommunications data,” the submission said.
Committee deputy chairman Anthony Byrne argued Home Affairs had shown a “cavalier disregard” for the limits on which agencies can access the information, noting that the committee had been told access under section 280 would cease if the metadata laws were passed.
“Our committee in its various iterations was told in 2012, 2013, 2015, and 2016 that they will be doing everything within their power to limit the number of organisations that could access this metadata,” he said.
“What you’ve just said today, basically says it hasn’t been stopped. And worse than that, you’ve known about it, you’ve done nothing about it. You didn’t come to the committee and say this is a problem, we have to find out by third parties.
“For me to hear you effectively say that you’re not quite sure how many organisations can access this metadata and then casually say it is a jurisdictional issue, it goes against the guarantee we were given when we put this scheme in the first place,” he said.
Home Affairs’ first assistant secretary for national security and law enforcement policy Hamish Hansford argued the data retention scheme was “highly transparent” and section 280 was separate, even though the data was held under the mandatory data retention regime.
“So I think the concern that you have is in relation to access to data rather than the data retention regime in the 21 agencies. And I think there is a big, distinct difference,” he said.
Byrne argued Home Affairs’ decision to not raise the issue with the committee “undermines the faith in the scheme”.
“You’ve indicated to me that you’re not seriously wanting to address the issue. I’m extremely annoyed about the issue, and I’ll pursue it in another forum,” he said.
Shadow Attorney-General Mark Dreyfus questioned the Department of Infrastructure, Transport, Regional Development and Communications on the matter.
“Does anybody know — this is my question to all of you — does anybody know how many authorised agencies for telecommunications information have been made in reliance on section 280 and some other law? This year, or last year, or the year before?” he asked.
The department’s first assistant secretary of the Communications Infrastructure Division, Jennifer McNeil, took the question on notice. She said no central database to track state and civil use of retained metadata existed.