Data retention: Govt needs to spell out metadata details, committee says

The Parliamentary Joint Committee on Human Rights has called for the government to spell out in legislation what sort of metadata will be collected under its data retention regime.

Although the government has already outlined the type of metadata it is interested in, the bill is designed so that the detail of data that service providers will be required to retain will be spelled out in regulation.

To "avoid the arbitrary interference with the right to privacy that would result from reliance on regulations, the bill [should] be amended to define the types of data that are to be retained," the report argues.

Although content is exempt from the proposed data retention scheme, a definition of 'content' is not included in the text of the bill. The report recommends that such a definition should be included.

The report also questions the length of time data will be retained for. As it stands, data will be retained for two years.

"[D]espite the acknowledged low frequency of use of data that is more than six months old, and the stated requirement for older data for national security and complex criminal offences, the scheme does not limit access to data which is older than six months to the investigation of national security and complex criminal offences," the report states.

The committee requests further advice from the attorney-general about whether the proposed retention period is "necessary and proportionate in pursuit of a legitimate objective".

Retaining data on every customer of a service provider is "very intrusive of privacy," the committee noted and "raises an issue of proportionality"

"Communications data can reveal quite personal information about an individual, even without the content of the data being made available, revealing who a person is in contact with, how often and where," the report states. "This in turn may reveal the person’s political opinions, sexual habits, religion or medical concerns."

The committee also raised concerns over the organisations able to access data retained under the scheme as well as the circumstances in which they are able access metadata.

Under Australia's existing telecommunications interception regime, law enforcement organisations and other government agencies seeking access to communications content are required to obtain a warrant. However, access to communications metadata under the Telecommunications (Interception and Access) Act 1979 does not require a warrant.

Australia's largest telco, Telstra, earlier this year said that it had received tens of thousands of warrantless requests for customer data in the last 12 months. Previous the telco has revealed that organisations accessing customer metadata include local councils and the RSPCA.

Greens Senator Scott Ludlam has previously tried to introduce a requirement for organisations to get warrants before accessing teclos' customer data and has instigated a Senate inquiry into the TIA Act which is due to report on 3 December.

The Joint Committee on Human Rights report recommends a requirement for "prior review" be added for organisatoins seeking to access metadata.

"The committee therefore recommends that, so as to avoid the unnecessary limitation on the right to privacy that would result from a failure to provide for prior review, the bill be amended to provide that access to retained data be granted only on the basis of a warrant approved by a court or independent administrative tribunal, taking into account the necessity of access for the purpose of preventing or detecting serious crime and defined objective grounds," the report states.

Circumstances in which data should be access should be "where it is 'necessary' for the investigation of specified serious crimes, or categories of serious crimes."

The committee also argues that individuals should be notified after their data has been access (with delays as necessary for ongoing investigations) and that individuals should be allowed to challenge government agencies' access to their metadata.