Memo to ICT: Should we be collecting metadata?

Iain Stevenson explains why every organisation should examine its position under the recently enacted Amendment to the Telecommunications Act

©iStock.com/Rex_Wholster 

©iStock.com/Rex_Wholster 

The telecommunications and internet services industry – as well as the media and various human rights and privacy concern groups – have been in a decade-long dialogue with legislators and politicians over the mandatory retention of communications ‘metadata’. Simply put, this metadata tracks the technical details of online communications and mobile/landline calls made by Australians from within Australia.

The Telecommunications Act – Data Retention Amendment came into force in mid-October 2015. However, those organisations required to retain data can seek approval to progressively implement the necessary infrastructure and procedures, provided that they will be compliant by April 2017.

Many organisations whose core business is not the provision of telecommunications including those in the hospitality, education, healthcare and local government sectors also potentially fall under this legislation.

Deadlines for preparing and submitting an Implementation Plan (or seeking an exemption or variation to your obligations) have now passed, but it’s safe to assume that not every organisation that needed to meet this requirement actually achieved it.

Quick Facts

The Amendment applies to every organisation that owns its own network infrastructure and provides internet or call access beyond its ‘immediate circle’ of management, staff and regular contractors.

Metadata required to be retained for two years includes:

- Subscriber, account and equipment details

- Source and destination of a communication

- Date, time and duration of a communication, or of its connection to a relevant service

- Type of communication or relevant service accessed

- Location of any equipment or lines used in connection with a communication

You must also encrypt the metadata and protect it from unauthorised tampering.

If you fall under the Amendment, you are required to develop a Data Retention Implementation Plan to progressively establish the required capability by April 2017.

Resources prepared by the Attorney General’s Department to assist with assessing your obligations and preparing any necessary submissions can be found here

Why is collecting metadata such a chore?

Apart from the common Australian distaste for intruding on personal privacy, the retention of metadata can be quite onerous. The metadata itself has to be collected, encrypted and securely stored for two years. This can become expensive in terms of the necessary tools and data storage – not to mention the additional ICT processes, compliance oversight and reporting also required.

We’re not a telco, so how could it possibly apply to us?

Quite simply, if your organisation is providing telecommunications services on your own network equipment to people outside of your immediate business circle, then you must now have a plan for retaining the resultant metadata.

Here are four examples of organisations that fall under the new provisions:

  1. A hospital provides Wi-Fi internet services using its own Wireless Access Points (WAPs) to patients and visitors – and its tenants (a flower shop, newsagent and pharmacy) all have telephone extensions through its switchboard. These may all create the need for metadata retention.
  2. A university offers its students a life-long university email address as well as providing on-campus Wi-Fi and internet services to all campus visitors. Staff and current students are considered part of the university’s ‘immediate circle’ and do not create any data retention obligations. However, alumni (past students), conference visitors and (potentially) visiting lecturers are not, and the university may subsequently find that it needs to collect metadata for all users.
  3. A chain of coffee shops or hotels provides Wi-Fi Internet services and perhaps an Internet terminal or two for its patrons. If the organisation owns and operates the Wi-Fi equipment, then certain data must be retained despite the fact that the underlying internet access is provided by their ISP.
  4. A conference centre operates its own online collaboration services for use by conference attendees. The metadata associated with these ‘internet over-the-top’ services must also be retained.

Certain limitations and exemptions may apply. For example, a single café owner offering Wi-Fi internet access over their own equipment will not be required to retain metadata –as long as they’re only doing this in a single place.

Do you offer some form of internet access to visitors or the general public using your own network equipment? Or do you operate internet collaboration applications available to those outside your immediate business circle? If so, you may be obliged to collect, encrypt and retain the associated metadata for two years and make it available to government authorities on request.

Don't panic!

You may have missed the deadline, but if you feel your organisation could possibly fall under the Amendment, then you should seek expert advice fast. Note that, once you have submitted a Data Retention Implementation Plan and it has been approved, you must then implement it or potentially face prosecution and fines.

Remaining in a state of blissful ignorance is not a risk-free option either, as failing to retain metadata when you are obliged to do so is also a contravention of the Telecommunications Act, so you’re better late than never!

Implications of the Data Retention Amendment are not immediately clear. The legislation is written in very broad terms and often must be read within the context of specific technical and business circumstances to understand exactly how it applies to you. While the rules may seem complex, our telecommunications consultants are here to help you understand your obligations and make metadata retention as simple as possible.

About the Author

Iain Stevenson is a Brisbane-based Principal Consultant with CSC Consulting specialising in assisting clients to understand and plan for their telecommunications needs. He has a Bachelor of Electrical Engineering and 30-plus years of experience in the Australian telecommunications industry. Most recently, he assisted the Queensland Government in strategic planning, business cases and delivering of significant projects in the state.