-
On this page
Last updated: 30 November 2023
Overview
This resource provides an overview for telecommunication service providers of their obligations to maintain records of disclosures under ss 306 and 306A of the Telecommunications Act 1997(Telecommunications Act).
Generally, the Telecommunications Act prohibits the disclosure of information obtained during the supply of telecommunications services.[1] However, both the Telecommunications Act and the Telecommunications (Interception and Access) Act 1979 (TIA Act) contain exceptions to this general prohibition that enables telecommunications service providers to disclose information in limited circumstances.
If a telecommunications service provider discloses information under certain exceptions contained in the Telecommunications Act or the TIA Act, it must create and keep a record of the disclosure. These records must comply with specific requirements contained in ss 306 and 306A of the Telecommunications Act.
The Office of the Australian Information Commissioner (OAIC) is responsible for monitoring compliance with the record keeping requirements contained in Part 13, Division 5 of the Telecommunications Act.[2]
Who needs to comply with the record-keeping requirements?
Generally, the ss 306 and 306A record-keeping requirements in the Telecommunications Act apply to ‘eligible persons’.[3] An ‘eligible person’ includes a carrier, carriage service provider and their respective employees.[4]
The record-keeping requirements also apply to ‘associates’, which includes a person who performs services for or on behalf of the carrier or carriage service provider.[5]
These entities are collectively referred to as ‘telecommunications service providers’ in this resource.
More information about the terms ‘carrier’ and ‘carriage service provider’ can be found on the Australia Communications and Media Authority’s website at www.acma.gov.au.
When do the record-keeping requirements apply?
Under ss 306 and 306A of the Telecommunications Act, if a telecommunications service provider discloses information in accordance with certain exceptions, it must create a record of the disclosure.
The exceptions fall into two broad categories: general disclosure exceptions[6] and prospective authorisation exceptions[7].
General disclosure exceptions
The general disclosure exceptions enable telecommunications service providers to disclose information in certain circumstances, including to prevent or lessen a serious threat to the life or health of a person, or if summoned to give evidence or produce documents.
Telecommunications service providers must create and keep a record of any disclosure made under the following general disclosure provisions:
- ss 280, 281, 284, 286, 287, 288, 289 and 292 of the Telecommunications Act
- ss 180 and 180A of the TIA Act.
More information about the above general disclosure exceptions can be found at Table 1 in Appendix A.
Prospective authorisation exceptions
The prospective authorisation provisions in the TIA Act generally enable criminal law-enforcement agencies to authorise telecommunications service providers to disclose information or documents that may come into existence during a particular future period of time.[8]
Telecommunications service providers must create and keep a record of disclosures made under ss 180 and 180A of the TIA Act (see Table 2 at Appendix A for more information).
When does the record need to be created?
General disclosure exceptions
For general disclosures, records must be created as soon as practicable after the disclosure and, in any event, within five days of the date of disclosure.[9]
If an associate makes a disclosure, they must make a record as soon as practicable after the disclosure and, in any event, within five days of the date of disclosure and give that record to the carrier or carriage service provider within five days of making the record.[10]
Prospective authorisation exceptions
For prospective authorisations, the record must be created as soon as practicable after the day on which the authorisation ceases to be in force and, in any event, within five days after that date.[11]
If an associate makes a disclosure, they must make a record as soon as practicable after the day on which the authorisation ceases to be in force and, in any event, within five days of the day on which the authorisation ceases to be in force and give a copy of that record to the carrier or carriage service provider within five days of make the record.[12]
What information needs to be included in the record?
Section 306 and section 306A of the Telecommunications Act sets out the requirements for records of disclosures made on the grounds of a general disclosure exception or a prospective authorisation exception respectively.
These records may be made, given or retained in either written or electronic form.[13]
The requirements of ss 306 and 306A are outlined separately below.
Records of disclosure – general disclosure exceptions
Name of the person who disclosed the information or document
Section 306(5)(a) provides that records of disclosures made under the general disclosure exceptions must set out the name of the person who disclosed the information or document concerned.
In most cases, the name of the ‘person’ who disclosed the information will be the name of the telecommunications service provider.[14] However, there may be some instances where a service provider will need to record the name of the individual who makes the disclosure. For example, s 281 of the Telecommunications Act authorises disclosure of information by a person summoned to give evidence. As only individuals may give evidence in court, in this instance the record of disclosure should identify the name of the individual who made the disclosure.
As a matter of best practice, the OAIC recommends that records of disclosure include both the name of the telecommunications service provider and the name (or other unique identifier) of the individual who made or actioned the disclosure/s. Telecommunications service providers should also be mindful of their obligations under Australian Privacy Principle (APP) 11, which requires APP entities to take reasonable steps to protect personal information they hold. A reasonable step that entities could take to protect the personal information they hold is to record the employee name (or other unique identifier) on records of disclosures to help identify instances of unauthorised access or disclosure.
Date of disclosure
Section 306(5)(b) provides that records of disclosures made under the general disclosure exceptions must set out the date of the disclosure.
A statement of the grounds for the disclosure
Section 306(5)(c) provides that records of disclosures made under the general disclosure exceptions must set out a statement of the grounds for the disclosure. This statement should identity the relevant provision in either the Telecommunications Act or the TIA Act that authorised the disclosure.
If the disclosure is required or authorised under a warrant
If the disclosure is required or authorised under a warrant and s 280(1)(a) applies to the disclosure, s 306(5)(ca) provides that the record of disclosure must set out the:
- provision of the law under which the warrant was issued
- name of the person who issued the warrant
- date of the issuing of the warrant.
If the disclosure is required or authorised by or under law
If the disclosure is required or authorised by or under law and s 280(1)(b) applies to the disclosure, s 306(5)(cb) provides that the record of disclosure must set out the provision of the law which required or authorised the disclosure.
For example, in the event that a notice to produce power was exercised, it would be expected that the telecommunications service provider records the particulars of the notice to produce powers.
Section 280(1)(a) does not by itself allow the use or disclosure of the information or document, so should be recorded alongside the underlying authorising provision.
If the disclosure is made on the grounds of an authorisation under the TIA Act
If the disclosure is made on the grounds of an authorisation under the TIA Act (ss 178, 179, 180(3) or 180A), the record of disclosure must set out the:
- name of the person who made the authorisation
- data of making of the authorisation.[15]
Under the authorisation provisions in the TIA Act, only an ‘authorised officer’[16] from a requesting entity may authorise a telecommunications service provider to disclose information. Consequently, the ‘name of the person’ who made the authorisation should be the name or other identifier of the individual officer from the requesting entity that authorised the disclosure.
If the disclosure is not made on the grounds of an authorisation under the TIA Act
If the disclosure is not made under an authorisation in the TIA Act, but the disclosure was at the request of another body or person, the record of disclosure must set out the:
- the requesting party’s name
- date of request.[17]
If the disclosure relates to the contents or substance of a communication carried by a carriage service
Section 306(5)(f) provides that if the information or document used or disclosed relates to the contents or substance of a communication carried by a carriage service (e.g. telephone, internet or Voice over Internet Protocol (VoIP) services), the record of disclosure must set out the particulars of that carriage service.
If the disclosure includes information of a kind specified
If the information or document used or disclosed is or includes information of a kind specified in one or more items of the table in s 187AA(1) of the TIA Act,[18] the record of disclosure must set out:
- the number of those items
- a description of the content of those items.[19]
Telecommunications service providers should include the applicable item number/s from the table below and a brief description of the content of those items.
A description of the content of those items means listing the kind of information, for example, ‘name’ and not the actual information such as ‘John’.
Section 187AA(1) of the TIA Act is set out below and provides the kinds of information that a telecommunications service provider must keep, or cause to be kept, relating to any communication carried by means of the service.
Telecommunications service providers are not expected to create an additional copy of this information in the record of disclosure.
Item | Topic | Description of information |
---|---|---|
1 | The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service |
|
2 | The source of a communication | Identifiers of a related account, service or device from which the communication has been sent by means of the relevant service. |
3 | The destination of a communication | Identifiers of the account, telecommunications device or relevant service to which the communication:
|
4 | The date, time and duration of a communication, or of its connection to a relevant service | The date and time (including the time zone) of the following relating to the communication (with sufficient accuracy to identify the communication):
|
5 | The type of communication or of a relevant service used in connection with a communication |
|
6 | The location of equipment, or a line, used in connection with a communication | In relation to the equipment or line used to send or receive the communication:
|
Records of disclosure – prospective authorisation exceptions
Name of the person who made the disclosure
Section 306A(5)(a) provides that records of disclosures made under the prospective authorisation exceptions must set out the name of the person or persons who made the disclosure or disclosures.
Date of the first and last disclosure
Section 306A(5)(b) provides that records of disclosures made under the prospective authorisation exceptions must set out:
- if only one disclosure is made because of the authorisation — the date of the disclosure, or
- if more than one disclosure is made because of the authorisation — the date of the first and date of the last disclosures.
As outlined above, the prospective authorisation provisions in the TIA Act generally enable law enforcement agencies to authorise telecommunications service providers to disclose information or documents that may come into existence during a particular future period of time. The OAIC considers that a disclosure occurs each time specified information or a document comes into existence during the authorisation period and is then released by the service provider to the relevant law enforcement agency.
The ‘date of the first disclosure’ means the date the first specified document or piece of information is disclosed to the relevant law enforcement agency. Similarly, the ‘date of the last disclosure’ refers to the date the last specified document or piece of information is disclosed to the relevant law enforcement agency. Consequently, the record should identify the dates of the first and last disclosure of information to the law enforcement agency. These dates may not necessarily correspond to the dates of the start and end of the authorisation period.
A statement of the grounds for the disclosure
Section 306A(5)(c) provides that records of disclosures made under the prospective authorisation exceptions must set out a statement of the grounds for the disclosure. This statement should identify the relevant provision that authorised the disclosure.
Name of the person who made the authorisation and the date of the making of the authorisation
Section 306A(5)(d) provides that records of disclosures made under the prospective authorisation exceptions must set out the name of the person who made the authorisation and the date of the making of the authorisation.
How long do providers need to keep records of disclosures?
All records of disclosure must be retained for three years from the date of creation.[20] Copies of records of disclosures given to a carrier or carriage service provider by an associate must also be kept by the carrier or carriage service provider for three years.[21]
What is the role of the Office of the Australian Information Commissioner?
Under s 309 of the Telecommunications Act, the Information Commissioner has the function of monitoring compliance with the record-keeping requirements of ss 306 and 306A of that Act.
The OAIC may conduct inspections of telecommunication service providers’ records to ensure they comply with these requirements. There are offences and penalties under the Telecommunications Act for failing to comply with the record-keeping requirements.[22]
Appendix A: Disclosure exceptions that impose a record-keeping requirement
Legislation | Section | Description of exception |
---|---|---|
Telecommunications Act | 280 | Where the use or disclosure is required or authorised by or under law or a use or disclosure that is required or authorised under a warrant in connection with an enforcement agency operation |
281 | If a person makes the disclosure as a witness summonded to give evidence or produce documents | |
284 | If the disclosure is made to entities including the Australian Communications and Media Authority, Australian Competition and Consumer Commission, Telecommunications Industry Ombudsman and eSafety Commissioner if the information may assist them to carry out their functions or powers | |
286 | If the disclosure consists of emergency services related call information and is made to an emergency service organisation (e.g. police force) or despatch services for the purpose of dealing with the matters raised by that call | |
287 | Where the discloser believes on reasonable grounds that the use or disclosure is reasonably necessary to prevent or lessen a serious threat to the life or health of a person and it is unreasonable or impracticable to obtain their consent | |
288 | Where the use or disclosure is reasonably necessary for the purpose of the preservation of human life at sea and relates to the location of a vessel and is made for maritime communications purposes | |
289 | Where a person consents or is reasonably likely to be aware or made aware that such disclosures usually occur | |
292 | Where the use or disclosure is prescribed by regulations (Telecommunications Regulations 2001) | |
TIA Act | 177 | If the disclosure is voluntarily made to an enforcement agency and is reasonably necessary for the enforcement of criminal law, a law imposing a pecuniary penalty or for the protection of the public revenue |
178 | Authorisations for access to existing information or documents — enforcement of the criminal law | |
179 | Authorisations for access to existing information or documents — enforcement of a law imposing a pecuniary penalty or protection of the public revenue | |
180(3) | Authorisations for access to existing information or documents | |
180A | Authorisations for access to existing information or documents — enforcement of the criminal law of a foreign country |
Legislation | Section | Description of exception |
---|---|---|
TIA Act | 180 | Authorisations by an authorised officer of a criminal law enforcement agency for access to prospective information or documents |
180B | Authorisations by an authorised officer of the Australian Federal Police for access to prospective information or documents — enforcement of the criminal law of a foreign country |
Footnotes
[1] Telecommunications Act 1997 (Cth) ss 276, 277 and 278.
[2] Telecommunications Act 1997 (Cth) s 309.
[3] The ss 306 and 306A record-keeping requirements also apply to ‘eligible number-database persons’. Under the Telecommunications Act, the Minister may make a determination that an entity is a number-database person. However, there are currently no determinations in force. Consequently, ‘eligible number-database persons’ are not referred to in this resource.
[4] Telecommunications Act 1997 (Cth) s 271.
[5] Telecommunications Act 1997 (Cth) s 304.
[6] Telecommunications Act 1997 (Cth) s 306.
[7] Telecommunications Act 1997 (Cth) 306A.
[8] Under ss 180(3) and 180A(2) of the TIA Act, authorised officers may also authorise disclosure of specified information or documents that came into existence before the time the authorisation comes into force.
[9] Telecommunications Act 1997 (Cth) s 306(2)(a).
[10] Telecommunications Act 1997 (Cth) s 306(3).
[11] Telecommunications Act 1997 (Cth) s 306A(2)(a).
[12] Telecommunications Act 1997 (Cth) s 306A(3).
[13] Telecommunications Act 1997 (Cth) ss 306(6) and 306A(6).
[14] Section 2C of the Acts Interpretation Act 1901 states that, in any Act, expressions used to denote ‘persons’ generally includes a body politic or corporate as well as an individual.
[15] Telecommunications Act 1997 (Cth) s 306(5)(d).
[16] Telecommunications (Interception and Access) Act 1979 s 5.
[17] Telecommunications Act 1997 (Cth) s 306(5)(e).
[18] Under s 306(5A), if the Minister for Communications has made a determination under s 306(5B) setting out a table that specifies kinds of information, the table set out in that determination will apply in place of the table set out in s 187AA(1) of the TIA Act. However, there is currently no determination in force.
[19] Telecommunications Act 1997 (Cth) s 306(5)(g).
[20] Telecommunications Act 1997 (Cth) ss 306(2)(b) and 306A(2)(b).
[21] Telecommunications Act 1997 (Cth) ss 306(4) and 306A(4).
[22] Telecommunications Act 1997 (Cth) ss 306(7) and 306A(7).