Communications Essentials



Similar documents
DATA RETENTION. Guidelines for Service Providers

Data Retention. Who What Where - When. Anna Harmer. Assistant Secretary Electronic Surveillance Policy Branch. Greg Sadler

DATA RETENTION. Frequently Asked Questions for Industry

Process for advising on the feasibility of implementing a patient access scheme

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

Business Plan

BEST PRACTICE CONSULTATION

AER reference: 52454; D14/54321 ACCC_09/14_865

ETNO Expert Contribution on Data retention in e- communications - Council s Draft Framework Decision, Commission s Proposal for a Directive

UNSOLICITED PROPOSALS

Updated SCER Demand Side Participation Program December 2013

Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

Patrick Fair Partner, ITC and Data Security Specialist Baker & McKenzie. Developments in Security Regulation

ACADEMIC POLICY FRAMEWORK

APES 230 Financial Planning Services Issues for discussion CPA Australia and the Institute of Chartered Accountants Australia

Procurement Capability Standards

Corporate Plan

SERIES A : GUIDANCE DOCUMENTS. Document Nr 3

FX Week conference "State of play, state of flux: a regulator's perspective"

CWU SUBMISSION TO BIS CONSULTATION TUPE REGULATIONS 2006: CONSULTATION ON PROPOSED CHANGES TO THE REGULATIONS

PROCUREMENT & LOGISTICS DEPARTMENT

Financial Planner Remuneration

Fair and transparent pricing for NHS services

Regulation of Investigatory Powers Act 2000

National Broadband Network Companies and Access Arrangements Bills

PERARES PROJECT EVALUATIONS

VOTE Accident Insurance

Guide to Developing a Quality Improvement Plan

Information Governance Policy

DISCUSSION PAPER: GREY AREAS - AGE BARRIERS TO WORK IN COMMONWEALTH LAWS

Regulatory measures reported since the 2015 Spring Repeal Day 2

Ofcom response to the Lords Science and Technology Committee report on Personal Internet Security

Embedding Digital Continuity in Information Management

Information Governance Strategy & Policy

Future of Financial Advice: Best interests duty and related obligations

Data Communications Company (DCC) price control guidance: process and procedures

Presentation to ASIC/ASX Conference

Procurement Services Document Control Sheet

Submission to Standing Senate Committee on the Environment, Communications and the Arts on the adequacy of protections for the privacy of Australians

COMPLAINTS HANDLING POLICY AND PROCEDURES

ADDRESSING SPECIFIC ISSUES IN TAX

Retention of Communications Data Code of Practice

APPLICATIONS. UCD School of Architecture Professional Diploma (Architecture) PROGRAMME INFORMATION

Risks to customers from performance management at firms

NATIONAL INSURANCE BROKERS ASSOCIATION OF AUSTRALIA (NIBA) SUBMISSION TO THE ECONOMIC REGULATION AUTHORITY

Pre-application service for Nationally Significant Infrastructure Projects

How To Handle A Complaint From An Nhs Pension Fund

A Guide to Corporate Governance for QFC Authorised Firms

4.2 The Scope Order is made under the power in s 4(2)(e) of the Act.

RISK AND COMPLIANCE COMMITTEE CHARTER

Ofcom consultation: Regulation of VoIP services Issued on 22 February Response by the FCS VoIP Group- May 2006

Registration must be carried out by a top executive or a number of executives having the power to commit the whole company in the EU.

DRAFT DATA RETENTION AND INVESTIGATORY POWERS BILL

IN CONFIDENCE. Regulatory Impact Analysis Requirements: New Guidance

Review of remote casino, betting and bingo regulatory return and gambling software regulatory return. Consultation document

injury management practices

Client Complaints Management Policy Summary

Meeting Summary. Trusted Trader Industry Advisory Group 1:00pm 4:00pm Thursday, 29 January 2015 Melbourne

GETTING IT RIGHT FOR CONSUMERS

The performance of the Australian Securities and Investments Commission Submission 202

ICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS)

Accreditation of qualifications for registration as an oral health practitioner

Online Copyright Infringement. Discussion Paper

FINANCIAL ADVISERS REGULATION: VOLUNTARY AUTHORISATION

RE: Submission to Inquiry into the funding of political parties and election campaigns.

Submission. Ministry of Economic Development. Draft Insolvency Law Reform Bill Discussion Document. to the. on the

Public Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner

Grant Programme Guidelines Community Development Grants Programme

Code Committee Review of the Code of Professional Conduct for authorized financial advisers

Number 3 of 2011 COMMUNICATIONS (RETENTION OF DATA) ACT 2011 ARRANGEMENT OF SECTIONS

SWANSEA UNIVERSITY. The Institutional Duty Regarding Reasonable Adjustments. For Information and Dissemination. Consultation / Approval History

EU: 2015 Place of Supply Changes Changes to the VAT place of supply for e-services

National Occupational Standards. Compliance

A report on the Commonwealth Ombudsman s activities in monitoring controlled operations

Cloud and surveillance

Bills Digest No

Click here for Explanatory Memorandum

WORK HEALTH AND SAFETY CONSULTATION, CO-OPERATION AND CO-ORDINATION

About this document? This file is updated regularly with new questions. The responses are valid at the dates indicated.

ASX LISTING RULES Guidance Note 23

Transforming Work Health and Safety Performance

Merchant guide to PCI DSS

Report on the EMR Delivery Body s performance of its functions in relation to the Capacity Market

Capital gains tax treatment of earnout arrangements

TR41.11/ DRAFT October 6, 2000 Written by David Ling, HP VISION PROBLEM STATEMENT

NOS. Supply Chain Management Occupational Standards

CIVIL SERVICE COMMISSION. RECRUITMENT PRINCIPLES: review. Consolidation of previous changes and proposed amendments to the explanatory text

AUSTRALIAN COMMUNICATIONS AND MEDIA AUTHORITY REVIEW OF THE TELECOMMUNICATIONS LABELLING (CUSTOMER EQUIPMENT AND CUSTOMER CABLING) NOTICE 2001

International money transfers public interest determination applications. Consultation paper

THE HON JOSH FRYDENBERG MP Assistant Treasurer SPEECH FINANCIAL SERVICES COUNCIL BT FINANCIAL GROUP BREAKFAST SYDNEY 15 APRIL 2015

COMMUNICATION FROM THE COMMISSION TO THE COUNCIL, THE EUROPEAN PARLIAMENT AND THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE

Deduction of income tax from interest: peer-topeer

OXFORD UNIVERSITY DEPARTMENT FOR CONTINUING EDUCATION PANEL OF PART-TIME TUTORS. Generic Job Description for Part-time Face-to-Face Tutors

SOFTWARE ESCROW AGREEMENTS: A BUSINESS CONTINUITY STRATEGY PAPER PRESENTED FOR NEW ZEALAND COMPUTER SOCIETY THE LAW OF IT SEMINARS

Proposed Changes to ASX Listing Rules and Guidance Note 9. Corporate Governance Disclosures

Procurement Functional Leadership Progress Report April 2015 to September 2015

Consultation Paper on the draft proposal for Guidelines on methods for determining the market share for reporting

The Audit Committee self-assessment checklist

Quorum Privacy Policy

Facilitating debt raising

Transcription:

25 June 2015 Communications Essentials Implementing the Data Retention Regime Speech delivered by Ms Jamie Lowe, Communications Access Co-ordinator Page 1 of 11

Introduction Thank you for inviting me to speak to you today about the data retention obligations. Before I start, I d like to thank the Communications Alliance for its engagement with the department on data retention to date. Communications Alliance has been an important partner in the development of the data retention legislation and as we embark upon the implementation process. As we talk about implementing the new data retention obligations, I think it s worthwhile acknowledging that the policy debate around data retention can fairly be described as a vigorous and passionate debate - there were a variety of matters about which reasonable minds could genuinely disagree. As many of you here will know, the legislation is intended to ensure that key pieces of telecommunications data are available to assist law enforcement and security agencies in their investigations. Achieving this though necessarily relies on service providers and while there may have been disparate views on the policy, I m confident that continued engagement and collaboration can support effective implementation, and ultimately achieve the objects of the legislation. In that spirit, today I will speak mainly about implementation of the obligations, particularly the role that I, as Communications Access Coordinator, play in approving data retention implementation plans and applications for exemptions from, or variations to, the obligations. In that context I ll also mention some of the work that the Attorney-General s Department is undertaking to assist providers to understand and implement the new obligations. Finally, I will touch briefly on the Government s proposed telecommunications sector security reforms, ahead of the upcoming release of the exposure draft legislation for public consultation. Data retention the basics As you know, the Data Retention legislation passed through Parliament in March this year. My office has since put out a range of guidance material and talked to or met with many providers. Page 2 of 11

There remains some misconceptions in a number of quarters around the data retention obligations, so, before I go any further, I thought it might be useful to clarify what the data retention obligations do and don t require. The obligations do require service providers to retain a limited set of telecommunications data, set out in the legislation, for at least two years. The obligations do require providers to protect retained data in two ways, namely by: encrypting retained information; and protecting retained information from unauthorised interference or access. The obligations do not require providers to retain data on a separate, dedicated storage system - as required in the European Union. Providers can choose to increase their usual, operational storage if this is a viable option for them. The obligations do not require providers to store their retained data in a single location. The obligations do not require providers to implement request management systems or build specific delivery systems. Agencies data requests continue to be covered by the Telecommunications Act, which states that service providers must provide agencies with reasonably necessary assistance, with the cost of that assistance split on a no-profit, no-loss basis. The obligations do not require providers to retain the legislated data in a specific format. The obligations do not require internet service providers to retain data about their subscribers web browsing history. I acknowledge that the expression web browsing history was used during Parliamentary debates and media commentary alike, but is not a term of art in the industry. For the purpose of clarity, in the case of ISPs, the legislative exclusion extends to all destinations on the internet where an ISP s customers may send or receive information. The only exception is where the ISP is offering an additional relevant service that requires destination information to be retained, such as VoIP or e-mail. The obligations do not require service providers to retain data for some service types, these include: broadcast services services supplied within an immediate circle, and Page 3 of 11

services supplied only to places in the same area. These exclusions ensure that institutions, particularly corporations, are not required to retain telecommunications data in relation to their internal networks. The exclusions also make it clear that entities, such as coffee shops, that happen to offer internet access to their customers do not have data retention obligations. The obligations do not require providers to retain data about every packet that passes over their network. Instead, the Act allows individual packets to be aggregated into a single communication session for the purpose of the obligations. The obligations do not require providers to retain data that is not relevant to the service they provide. This means that a provider may not be required to retain data for all six categories in the data set. This is possibly one of the most misunderstood aspects of the data retention regime. The relationship between a telephony reseller and its wholesale provider is a useful example to explain the point. The data retention obligations apply to both, but the data each retains depends on the specific arrangement between them for delivery of telephony services. A typical arrangement is that the wholesale provider manages the service while the reseller deals with the end-user relationship. Where that s the case, the wholesale service provider is required to retain all six categories of data in relation to the communications on its network. However, the customer data it logs will simply identify the reseller. The reseller is required to retain the richer data about its particular customers. There is no requirement for the wholesaler and reseller to pool their data. In this example, if an agency wanted to find out the subscriber of a particular phone when a particular call is placed, it would submit two data requests one to the wholesale provider for the details of the call, and another to the reseller for the detailed subscriber information. Page 4 of 11

Finally, the obligations do allow service providers to work together to meet their data retention obligations. The legislation requires providers to keep, or cause to be kept, the specified data. The formulation of that obligation supports co-operation or one-for-many federated data retention solutions. Whether you want to go it alone, work with a vendor or seek out a cooperative solution is a business choice for each provider to make. Data retention what next The data retention obligations come into effect on the 13 th of October this year. Service providers will need to comply with their data retention obligations by this date. Service providers that cannot comply by the 13 th of October may apply to me for: approval of an implementation plan that details how they will achieve compliance over the 18 months from 13 October 2015 to 13 April 2017, and/or an exemption from and/or variation of their data retention obligations in relation to one or more services they provide. The legislation requires me to consult with law enforcement and security agencies before I make a decision on an application. In making my decision, I must take into account not only the interests of these agencies, but also the objects of the Telecommunications Act, including the promotion of an efficient and competitive telecommunications market. One of the matters that I am expressly required to consider is the service provider s compliance costs, and how, in the case of an implementation plan application, an extension would help manage those costs. By law, I have 60 days to consider each application. Accordingly, providers should have their applications to me a minimum of 60 days before the 13 th of October being 13 August - if they hope to have an agreed application in place by commencement of the obligations. I would however encourage all providers to lodge plans in July or early August to facilitate any necessary engagement on or adjustment to the plan before the deadline. My office has developed application templates and guidance material to assist with this process. Page 5 of 11

Data retention Implementation Plans More detail Data retention implementation plans, or DRIPs as we affectionately call them, were introduced in response to direct industry feedback that implementation of working, cost-effective data retention solutions would require 18 months, in part to align with capital and renewal cycles. Approved DRIPs give providers up to an additional 18 months, on top of the 6 months delayed commencement, to meet their data retention obligations. Providers that want to take advantage of this facility will need to set out all their services that are subject to the data retention obligations - including the services that will be compliant on the 13 th of October this year. For the services that will not be compliant by this date, providers will need to detail per service the steps they will take to achieve compliance by the end of their requested period. The maximum implementation period allowed in the legislation is 18 months or up to the 13 th of April 2017. That means that from the 13 th of April 2017 all providers should be compliant with their data retention obligations or hold an exemption or variation. Data retention Exemptions and variations Providers can also apply to me for an exemption from all or part of their data retention obligations in relation to one or more services they provide. This mechanism mirrors the existing framework for exemptions from interception capability obligations, and will be familiar to some of you. Given the considerable variation between networks and services, I will generally consider these applications on a case-by-case basis. If I agree to exempt a provider from complying with all or part of its obligations, this decision must be kept confidential. Any publication of an exemption may naturally affect the ability to maintain that exemption. I may also reference a class of service providers in an agreed exemption, for example I may specify that IPTV service providers are not required to retain data in relation to that service. Page 6 of 11

Industry assistance the Government We know that the data retention obligations create work and, necessarily, cost for the telecommunications industry. The Government acknowledged this when it announced a package of $131.3 million over three years to help the telecommunications industry with the upfront capital costs of data retention. Of this, $128.4 million will go directly to industry. The design of the industry funding programme is still subject to final decisions within Government, but we hope to make it available in the third quarter of this year. I can, however, advise that the funding programme is being designed to take into account recommendation 16 of the PJCIS report on the data retention bill as committed to by the Government in its response to the report. The recommendation called for a contribution to upfront capital costs that takes into account variation within the industry. The recommendation drew particular attention to the needs of smaller providers; the differing impact of the obligation across industry-segments; and the fact that some companies have recently invested in data retention capabilities. Industry engagement now and into the future As I mentioned earlier, we know that successful implementation of the data retention obligations depends largely on how successful we are at engaging with you - industry. This was also recognised by the Government when it created the joint Government-Industry Implementation Working Group on introducing the Bill. This is a group that we find to be an effective vehicle for collaboration between government and industry on implementation of the obligations. During the development of the Bill the Department benefited from the views of industry, including through Communications Alliance and the Implementation Working group. Industry views influenced the formulation of the data set, and the development of extended implementation arrangements to support a transition to full compliance with the new obligations. Page 7 of 11

We are now very much looking forward to working with providers as they seek to give effect to the obligations, and have developed a package of guidance materials we hope will be helpful in that regard. We are also continuing that conversation, and updating our guidance material to provide assistance on new questions as they are asked. Communications Alliance, in consultation with the Internet Society, is currently leading development of guidelines on the encryption and protection of retained data, recognising the need for consistent guidance that address the technical challenges inherent in implementing protection in complex data systems. We have created a dedicated data retention industry phone number, which we call our hotline, to provide industry with a direct line in to the Department - to support understanding and implementation of the data retention obligations. In addition to this work to date, we also have a number of measures in train to further assist the telecommunications industry with understanding and implementing its data retention obligations. One of these measures is a commitment to include practical examples and case studies in the next iteration of the data retention guidance documents. This suggestion was made by industry members of the Implementation Working Group, and I would like to thank Communications Alliance for volunteering to initially draft this material and put it to the group for agreement. We are bringing together a data retention Agency Technical Team or the A Team as we like to call it made up of technical and operational specialists. From next month, members of this team will be available to help service providers to understand how the data retention obligations apply to their services. Lastly, we are currently exploring options for an e-form to facilitate the online lodgement of DRIPs. Our hope is that using e-forms will make form-completion easier for you, reduce the need for my office to contact you seeking clarifications, and perhaps assist any future application process for funding. All things going well, the form will become available before August. Page 8 of 11

Data retention future contact points Hopefully that gives you a broad picture of our role, and a flavour of the work my team is doing to genuinely support the implementation of these significant changes. Before I move on to briefly mention the government s proposed telecommunications sector security reforms, I want to share some contact details and introduce you to the team that I have brought with me today. The team supporting me in this work can be reached via a group email address: CAC@ag.gov.au. We also have a dedicated phone hotline number, 02 6141 2884. Through email or phone you ll be able to reach the right people to help with any questions, and to provide the most up to date guidance material available. The staff here today represent a broad range of skills and experience. They re here as part of their commitment to work with as many providers as possible, and to help wherever possible including by being available today to answer any questions you may have after the formal presentations. By introducing them, I am hoping to help you to seek out the right person after this seminar should you have any residual questions about data retention. Many of you would be familiar with Anna Harmer, Assistant Secretary of the Electronic Surveillance Policy Branch. Anna is responsible for managing both the policy and implementation of the data retention regime. Greg is the Director of the Electronic Surveillance Capability and Engagement Section, within Anna s Branch. Greg is responsible for the data retention guidance material and general industry engagement matters. Jane is an Assistant Director in Greg s section. Jane s background is in electrical engineering and she has a range of experience in telecommunications industry regulation. Sabiq is a Legal Officer working with Jane and Greg. Sabiq assists with the data retention hotline and is a great first point of contact in the Department. Jeff is from the AFP, and is one of a number of agency technical representatives supporting the implementation of the data retention scheme. Jeff s background is in electronic communications, and he brings with him operational experience from his work with the AFP. Page 9 of 11

All of these representatives will be happy to chat to you further today, or at any time throughout the data retention implementation period and beyond. TSSR I thought I would also take the opportunity of speaking to you today to mention the Government s proposed telecommunications sector security reforms As you may be aware, the Attorney-General has signalled the Government s intention to proceed with legislative reforms to better manage national security risks to Australia s telecommunications networks particularly those that emerge through the global supply chain. A separate team in the Department is leading this work but I mention it today given your likely interest in the issues. The proposed reforms, set out in the exposure draft of the legislation that will be released shortly, largely reflect the approach that was recommended by the PJCIS in 2013 and previous discussions with industry. The exposure draft will be published on the Attorney-General s Department website for a period of public comment. Given the extensive consultation with industry to date, we do not at this stage propose to hold further stakeholder consultation workshops unless there is strong interest from industry for us to do so. The Department is committed to implementing the reforms in a manner that: complements the data retention regime; minimises impacts on industry; and provides for a level playing field across the sector. It is likely that introduction of the Bill into the Parliament will take place later this year, with referral to the PJCIS for further public inquiry also likely. The Department has committed to working with industry on the administrative guidelines to support the legislation and an updated draft of these guidelines, based on previous industry feedback, will be circulated for further consultations. Page 10 of 11

Thank you Can I conclude by thanking you once again for the opportunity to speak to you today. I take my role as the Communications Access Coordinator seriously, and value the opportunity to engage with the telecommunications industry on the frameworks through which assistance to law enforcement and security agencies is facilitated. I am sure that many of you will have the opportunity to engage with my team in coming months, and I look forward to working with you as we collectively give effect to these significant reforms. Thank you. Page 11 of 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information