Federal government officials have been accused of a “cavalier disregard” for the dozens of state and federal government agencies accessing data retained under the mandatory data retention regime thousands of times a year despite legislation explicitly excluding them from access.
Under the mandatory data retention legislation passed in 2015, the number of agencies allowed to access the data was narrowed down to just 21. But the telecommunications industry organisation Communications Alliance has revealed that at least 87 other state and federal organisations – including city councils, the RSPCA and the South Australian fisheries department – have accessed the data under section 280 of the Telecommunications Act.
Data held by the Australian Communications and Media Authority shows the power was used 8,432 times in the 2018-19 financial year, but the Acma does not record for what purpose the data was sought.
In a submission to the committee reviewing the mandatory data retention legislation, the home affairs department and the infrastructure, transport, regional development and communications department argued it was not a “loophole” in the scheme because that section of the legislation was designed to allow telecommunications companies to comply with lawful requests under other legislation – including state and territory legislation – for access.
The committee’s deputy chairman, Anthony Byrne, said use of this data was never contemplated when it reviewed the legislation half a decade ago, and accused the public servants of having a “cavalier disregard” for access to the metadata.
“For me to hear you effectively say that you’re not quite sure how many organisations can access this metadata and then casually say it is a jurisdictional issue, it goes against the guarantee we were given when we put this scheme in the first place,” he said.
Hamish Hansford, home affairs’ first assistant secretary for national security and law enforcement policy, told the committee on Friday that the data retention scheme was “highly transparent” but section 280 was separate, even though the data was held under the mandatory data retention regime.
“I think the concern you have is access to data, rather than the data retention regime … I think there is a big distinct difference,” he said.
“I would disagree with you,” Byrne said. He said he was annoyed the home affairs department did not raise this issue with the committee.
“You’ve done nothing about it,” he said. “You didn’t come to the committee and say this is a problem. We had to find out about it from third parties.
“This undermines the faith in the scheme and if you think it is OK the RSPCA accesses it or councils access it or teachers – and then you defend them?”
Byrne said it was unacceptable that agencies continued to be allowed access to the data despite not being authorised under the legislation, and the department could have suggested using the council of Australian governments process to close the loophole.
“I was told this would be plugged,” he said. “It has not been plugged. It doesn’t matter you’re hand-balling to the state agencies.
“I’m extremely annoyed about the issue, and I will be pursuing it in another forum … I’m done with you on this.”
Guardian Australia understands there is unanimous concern on the committee about the number of agencies accessing the data outside the scheme, although it is not yet clear what recommendations it will make to change the legislation.
Asio’s director general, Mike Burgess, also told the committee that as a private citizen he too was concerned about organisations such as the RSPCA having access to the data.
Coalition committee members, including David Forcett, raised the possibility of extending beyond two years the length of time the data is retained to “balance” any narrowing of access or additional safeguards put in place on access to the data.
Hansford said that requiring warrants to access the data would create a bottleneck, and argued against limiting access only for investigating serious crimes.