Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Intelligence and Security

FALK, Ms Angelene, Assistant Commissioner, Regulation and Strategy Branch, Office of the Australian Information Commissioner

PILGRIM, Mr Timothy, Australian Privacy Commissioner, Office of the Australian Information Commissioner


CHAIR: Welcome. Although the committee does not require you to give evidence on oath, I remind witnesses that this hearing is a legal proceeding of parliament and warrants the same respect as proceedings of the House itself. The giving of false or misleading evidence is a serious matter and may be regarded as contempt of parliament. The evidence given today will be recorded by Hansard. Do you wish to make some introductory remarks before we proceed to questions?

Mr Pilgrim : Yes I do, thank you. Firstly, thank you for the opportunity to appear before the committee today. The Privacy Act contains a number of objectives, the first of which is to promote the protection of the privacy of individuals. This sits alongside other objectives, one of which is to recognise that the privacy of individuals must be balanced with the interests of entities in carrying out their legitimate functions and activities. This is consistent with international law, which recognises that the right to privacy is not absolute and requires an assessment to be made of whether the measures that may limit privacy are both necessary and proportionate to achieve that objective. Applying this in the context of the introduction of a data retention scheme, privacy interests must be balanced with the need to ensure that law enforcement and security agencies have access to the information necessary to perform their functions.

The bill would require the collection and retention of a very large volume of personal information. In doing so, it would remove the discretion that would otherwise be afforded to service providers to determine whether to collect and retain certain types of personal information.

The Australian Privacy Principles state that entities should only collect personal information that is reasonably necessary for their functions or activities. They further state that entities should only retain information for as long as necessary to carry out their functions and activities. Therefore, where the collection of telecommunications data is not necessary for a service provider's business purposes, and the retention of the data is for longer than otherwise needed, a mandatory data retention scheme has the potential to significantly impact individuals' privacy. It creates a risk that the data may be misused, such as through inappropriate access or the risk of identity theft and fraud as a result of data breaches. To minimise any impact, I would suggest that the committee should satisfy itself, firstly, that each item of the dataset that service providers would be required to collect and retain under the scheme is necessary and proportionate; and, secondly, that the retention period imposed in relation to each item of the dataset is also necessary and proportionate.

Turning to the proposal that a two-year data retention scheme be introduced, I make these comments. On the face of the publicly available information and evidence, including evidence provided to this committee by law enforcement and security agencies, there would appear to be a case as to why it is necessary to require service providers to retain certain telecommunications data for a period of time. The challenge is determining what is the appropriate time period for retention that balances the privacy interests of individuals with the needs of law enforcement and security agencies.

Statistical evidence, both international and domestic, seems to suggest that a large proportion of investigations use telecommunications data that is up to or less than one-year old. Acknowledging that there are differing views on what this evidence shows, it could nevertheless support a case for a shorter one-year data retention period. However, the case for a two-year data retention scheme is less clear. It may rest on information that is being made available to the committee but which is not being released publicly—I assume there to ensure that it does not prejudice the activities of law enforcement and security agencies. It is therefore important that close consideration be given to whether the evidence provided to the committee establishes that it is necessary to retain each item of telecommunications data for a minimum period of two years or, alternatively, whether a shorter retention period would meet the needs of law enforcement and security agencies.

However, I want to emphasise that any data retention scheme must be accompanied by privacy safeguards. I recommend that further enhancements be made to the safeguards currently in the bill. To that end, I recommend that the bill should ensure that all service providers who are required to collect and retain telecommunications data under any data retention scheme are subject to the Privacy Act. This is currently not the case. The bill should limit the purpose for which an authorisation to disclose information can be made to the investigation of serious offences and threats to national security. I will return to this point in a moment.

The bill should be amended to give the Australian Privacy Commissioner oversight of enforcement agencies' compliance with chapter 4 of the Telecommunications (Interception and Access) Act. This would complement the commissioner's existing oversight role of telecommunications data. The bill should include an obligation for service providers to notify the Australian Privacy Commissioner and any affected individuals if they experience a data breach that involves retained telecommunications data. The bill should be amended to include a sunset provision that the scheme expire five years after the end of the implementation period, unless reauthorised by the parliament.

I want to turn now to the issue of warrants. The types of data that service providers will be required to collect and retain under the proposed data retention scheme has the potential to build a detailed picture of a person's activities, relationships and behaviours. However, I am also mindful that the scheme does not require the retention of the content of communications—and this is an important consideration. The committee will have heard evidence about the impact of a requirement for a warrant to be obtained on an investigation-by-investigation basis. The issue is whether such a warrant scheme would achieve the right balance between the protection of privacy and the need to enable law enforcement and security agencies to efficiently and effectively investigate serious crime and national security issues.

In my submission, I did not advocate for the imposition of warrants. I took this position on the proviso that the bill be amended to limit the purposes for which telecommunications data can be used and disclosed to the investigation of serious crime and threats to national security. However, since lodging that submission, I note that the Attorney-General's Department has suggested that to meet Australia's obligations under the Council of Europe's cybercrime convention access to telecommunications data cannot be limited in this way. If that is the case then I consider that further thought needs to be given to what additional safeguards might be put in place when access is for the purpose of the investigation of minor offences.

As a final comment, I would like to address the issue of the regulations. The bill allows for regulations to be made that significantly affect the scope of the data retention scheme. In particular, the bill allows for regulations to be made relating to the services covered by the data retention scheme and the kinds of telecommunications data that service providers will be required to collect and retain. To ensure the greatest level of certainty, transparency and accountability possible, my preference would be for these matters to be included in the bill itself. However, I do note that in a period of rapidly changing technology this may not be achievable. In the event, then, that a decision is made to continue with the current model, with these matters being addressed in regulations, I consider that the bill should be amended to include a requirement for the undertaking of a privacy impact assessment, before any changes are made or new regulations are made, and that the Australian Privacy Commissioner be consulted in the making of any new regulations or changes to the existing regulations. This is particularly important where regulations authorise the handling of personal information in a way that is otherwise inconsistent with the standards set out by the Privacy Act.

Mr RUDDOCK: Congratulations on your award.

Mr Pilgrim : Thank you very much.

Mr RUDDOCK: I was pleased to see that. I will start by saying that I was interested in paragraph 4, the Office of the United Nations High Commissioner for Human Rights, because you rely on proportionality in relation to your observations about privacy, and I must say that I have always had some difficulty in understanding what 'proportionate' means. I was interested that the high commissioner suggests that where the right to life is involved—and that is terrorism—there must be a 'some chance' test. Would you accept that?

Mr Pilgrim : I would accept that, in considering the right to life issue, clearly the right to life is an extraordinarily important right, and where there is a clear threat to an individual's life then in those circumstances—

Mr RUDDOCK: A clear threat—not 'some chance'?

Mr Pilgrim : In my view where there is clear evidence that there is likely to be a threat to a person's life then certainly the privacy issue should take a step back, for want of a better description.

Mr RUDDOCK: The difficulty I have about warrants and people arguing about other procedures is that it seems to me that it ignores the fact that metadata is sought on the basis that you recognise that there is a potential threat but you do not necessarily know who is involved. So what you are seeking to do is to put together patterns of usage that will give you an idea about where you may in fact make your further inquiries. I can understand that with warrants, which require an enormous amount of work—and I have looked at a large number of warrants over time and I know the sort of evidence that is necessary—and I could not imagine that if you had to get access to metadata and present that level of evidence that you would ever get to first base in relation to terrorism inquiries. That is my concern. And I must say that I am going to put great weight on the human rights commissioner's test that it be 'some chance'. I certainly would not accept that it has to be clear evidence. I just say that.

Mr Pilgrim : Certainly. And I did not want to misuse the word 'clear' in that particular circumstance. And, yes, I do agree with the Commissioner for Human Rights.

Mr RUDDOCK: Who is not subject to the Privacy Act?

Mr Pilgrim : Regarding the reference I was making in my opening statement to service providers who may not be covered by the Privacy Act, within the Privacy Act itself—and you may recall this, Mr Ruddock—there is an exemption for small businesses—that is, businesses with an annual turnover of $3 million or less. As I understand it—and I expand on this in the submission—from information I have received from the Telecommunications Industry Ombudsman it can be assumed that there are likely to be quite a large number of small ISPs for example who may fall under the $3 million threshold and will still be collecting—

Mr RUDDOCK: You are suggesting that they should be included?

Mr Pilgrim : I have put forward two options of how that may work. Basically, yes, I believe there should be some level of regulation for them. The two options could be that they could be brought into the coverage of the act, and there are already a couple of mechanisms by which that could happen—for example, for them to be brought in by regulation. Otherwise, the other suggestion I make is that there could be a provision put into the bill that allows for the making of binding rules by me that would apply to those service providers. So there are a couple of suggestions I make in the submission.

Mr RUDDOCK: Were you bidding to carry out this work without budget supplementation.

Mr Pilgrim : I would like to say, yes, but I have to fess up and say no! I have had some discussions with the Attorney-General's Department about the possible implications of some of the additional functions in the bill.

Mr DREYFUS: I want to follow on from Mr Ruddock's questions about proportionality. Starting with the proposition that the collection of data is an interference with privacy—that proposition is beyond argument; it is the basis of your entire legislative framework—how is proportionality to be approached?

Mr Pilgrim : I think what we are seeing through this very process is part of that approach—how it is to be assessed. Without wanting to sound arrogant in any way, it is going to be the responsibility of the committee to weigh up the evidence—some of which many of us will not be privy to, particularly evidence that is given in camera—to form a view about whether the intrusion or the interference in a vast number of the Australian community's personal information is going to be balanced against the need for increased security through the investigative work that is being done by the law enforcement agencies and the security agencies. This is a balance—for want of a better description—that occurs quite frequently in the law enforcement agencies' work, as you would be aware, about the need to intrude on people's privacy for some greater social good, in particular a safe society.

Mr DREYFUS: Can I offer you a couple of the calculations that might be made. Let us say the great bulk of authorisations of requests for telecommunications data up until now have been for data that is less than six months old. To take the ASIO example, which I think you offered in your submission, 90 per cent of ASIO's requests fall in the category of under one year old. The committee, and the public of Australia, are provided with one example—for argument's sake, an egregious crime, a dreadful example, where telecommunications data has been of assistance in finding the perpetrator, solving the crime and getting a conviction. Does that one instance in this illustration that I am offering you constitute sufficient evidence or is it sufficient to say that it is proportionate to say we could go to two years?

Mr Pilgrim : There are a number of steps I would take there. If it was relying on just one piece of evidence about one case, it is questionable. What I have been hearing through the evidence provided publicly is that there are more than that many cases. We should not just limit it to the number of cases because, as we start looking at some of these matters—I am feeling a bit odd here because it seems like I am starting to defend the position of the law enforcement and security agencies—it is about how large an impact they could have on the community. A particular investigation could be one that prevents an attack which could impact on hundreds or thousands of people. So I think we need to look at the evidence, some of which we have heard throughout the committee process. And from what I am seeing, from what I have taken on board, there is, as I said in my opening statement, evidence to suggest that there is a case for some data retention scheme. The question we need to weigh up—which is what you are getting at—is: what is the length of that scheme? In my opening statement I suggested that there appears to be evidence that has been put forward that suggests that that information has been useful in those particular investigations. But it seems to be—as you have reminded me through our submission—that the majority of those pieces of information have been under 12 months old and in many cases under six months old. So the question is: what length of time should the data retention scheme be, if in fact there is a need for one?

Mr DREYFUS: What I am trying to get to is: how does the proportionality decision get made? I will give you a more extreme example. It is always going to be possible to find examples of crimes being solved by reference to very old data in some cases. Cold cases, almost, can be solved potentially by looking at five- or 10-year-old telecommunications data. And there is still in existence in Australia five- and even 10-year-old telecommunications data—not much of it, but some. Would the fact that it is possible for some agencies to provide this committee with examples of crimes that have been solved using much older data than even two years provide sufficient justification for a longer period than two years, as some of my colleagues on the committee have suggested in earlier questioning?

Mr Pilgrim : Again, I think we need to weigh up a number of issues. As we go and look at a scheme that is possibly going to require a longer retention period, we have to look at what risks that may incur to that information. If we are looking at information that is being held on the vast majority of the population we need to look at what the risk is to the population in terms of that information being misused or inappropriately accessed and then look at the potential of what cases may be able to be resolved as a result of that. I have been trying not to get down to a hard, clinical comparison between the numbers that may be resolved as a result of holding data on tens of millions of people. It becomes a fairly clinical exercise.

Mr DREYFUS: It is an inherently difficult value judgement to make, isn’t it, because you are comparing values which are in themselves of a quite different nature and therefore hard to compare—on the one hand, privacy values and values of liberty as against the need to protect life and to investigate serious crime?

Mr Pilgrim : It is. It is a very hard call to make and it is one that is dealt with in the privacy sphere on a number of different levels over a number of different sectors and jurisdictions—which is why we keep coming back to the point that, if a decision is made to implement a scheme such as this which is going to require, as I said, the holding or the collection and retaining of huge volumes of data and personal information about people for a long period of time, we need to look at what else we can put in place to do our best to secure that information. So we may need to make a call. The committee and the parliament ultimately would need to make a call on this bill. I see my role as part of this debate as saying that, if that call is made, what can we do to make sure that we strengthen the protections for that information wherever it is held. And I go into that in some areas in terms of security, data breach notification and the like.

Mr DREYFUS: On that last point, the mandatory data breach notification is something that you have gone to at page 19 of your submission. You would be aware that this requirement for a mandatory data breach notification was something recommended by this committee in May 2013 when considering mandatory data retention.

Mr Pilgrim : Yes, I recall that.

Mr DREYFUS: And you would also probably be aware what a bill, known as the Privacy Alerts Bill, lapsed on the proroguing of parliament in 2013.

Mr Pilgrim : I remember that well.

Mr DREYFUS: Would that legislation of that nature of general application—and in fact fulfils a recommendation of the Australian Law Reform Commission—satisfy the need for a mandatory data breach notification scheme?

Mr Pilgrim : As I recall the bill, the short answer to that question would be that, yes, it probably would. What I am recommending here is a mandatory data breach notification program. I am particularly putting it in the context of this bill because, as I said, this bill will require the collection and retention of quite a huge amount of personal information on individuals that would not necessarily otherwise need to be kept by those organisations for a long period of time and therefore it does increase certain risks. So just dealing with that issue in isolation to this bill, because of the huge amount of information that is going to be required should the bill pass, I think a mandatory data breach notification requirement will add an extra layer of protection for individuals should something occur to present them with some particular harm.

Mr DREYFUS: Just to flesh that out: if there cannot be a scheme of general application of a mandatory data breach notification scheme, in general, your recommendation is that at the very least there ought to be a mandatory data breach notification scheme for data retained by telecommunications providers under this legislation?

Mr Pilgrim : Yes. As I say in my submission, I think that a mandatory data breach notification scheme is warranted given the amount and volume of information that would be required to be collected and retained under this bill.

Mr DREYFUS: If this committee were to accept that suggestion—and it would indeed be acting on its own previous recommendation if it were to do so—your suggestion is that the notification requirement would be to notify your office and any affected individuals? We do not really have time—

CHAIR: No, we have time. I for one would be very interested if we could just get a sense of how this would actually work or what you are proposing.

Mr DREYFUS: There is a particular vexed question about notification of affected individuals, about whether or not it should be instant or whether there should be some discretion given to take a bit of time as to how to notify them. As you are aware, but perhaps others here are not, there have been some vast data breaches—that is probably a fair description—in the United States, even larger data breaches than here. I have in mind 70 million customer details from Target or, more recently, the 54 million customer details from Home Depot. We have had some pretty big ones here involving Sensis and the ABC—I do not mean to single them out but mention them by way of cross-reference—involving tens of thousands of customer details. Would the scheme in broad outline at least, and particularly the notification process that is set out in the privacy alerts bill, be what you have in mind for a requirement for service providers to notify any affected individuals?

Mr Pilgrim : There are probably several points I would make in terms of a notification scheme. I could refer the committee to a set of voluntary guidelines that our office has issued which have been in place for a number of years now. They were written and designed to assist both government agencies and private sector organisations covered by the Privacy Act to deal with data breaches and to decide what steps they should take. It sets out a four-stage process. I will not go through each of those processes, but clearly an important consideration is when and if notification should occur. What we have done in those guidelines is use the concept of 'serious harm' as being a step in which to start the consideration. Is there likely to be serious harm to an individual through the data being breached or being released inadvertently? This in itself is sometimes a difficult concept to get around—what would constitute serious harm?

So the starting point for an organisation to consider is: is there likely to be serious harm? An example could be that, if an organisation holds people's credit card details, those details are breached and are released, say, online. In those circumstances, we would suggest there is very strong likelihood of serious harm because, having got a hold of those credit card details, there could be, as I have suggested, identity fraud, theft or even accessing of accounts.

In those sorts of circumstances—and I am trying to generalise here because I never know what matter may end up before me—we think that that would constitute a strong argument for notifying those individuals so they could take immediate steps. In that circumstance, as soon as the organisation is aware that, say, the credit card details have been compromised, you would hope that there would be very quick steps taken to advise individuals so they can take remedial action with their banks, such as stopping the accounts, stopping the credit card or the like. So there are strong reasons there for notifying immediately.

But there will be other cases where you may not want to notify. If I could use one example without going into too much detail because of the nature of it, some years ago while I was in the office we had occasion to work with a law enforcement agency who itself had suffered an unfortunate data breach. They lost a database they held on an international investigation they were doing which included quite a substantial number of individuals' personal information, including their credit card details. It was not able to be found and the agency approached me to discuss what steps should be taken. In those circumstances, we weighed up the notification of those individuals against the issue of a very serious investigation that was being undertaken and what potential risk there would be to that investigation if people outside of the investigation team became aware that it was occurring.

So the steps we took there were to work with the law enforcement agencies and, through them, the financial institutions to find a way in which other steps could be put in place behind the scenes to monitor what may be going on with any of those live accounts to make sure that individuals were protected. Again, going back to your other question about proportionality, we had to weigh up the risks of a serious investigation being compromised and the potential for some individuals to perhaps have some of their financial accounts impacted on. It was not my final decision because we were not the agency responsible, but in giving the agency advice we came down on the steps where we were able to put other protections in place and allow the monitoring of those people's accounts to occur in case there were any illegal activities against them.

I am going through this long explanation because we work through these issues under the guidelines we have that are applicable to government agencies and the private sector—that is, our voluntary data breach notification guidelines. I think that would form a good model for any particular scheme, should one be agreed to through, say, an amendment to the bill to introduce a mandatory requirement.

Mr DREYFUS: Thanks, Mr Pilgrim. I was just checking and perhaps making sure we have on the record that there is a great deal of work being done already on what a mandatory data breach notification scheme might look like. There is not only your guidelines but a bill that this parliament has previously had before it—indeed, it passed the House of Representatives in June 2013—that we could refer to in thinking about what would be an appropriate mandatory data breach notification requirement to be inserted in the bill.

Mr RUDDOCK: I had a constituent come to me fairly recently with a letter from the Commissioner of Taxation saying, 'Somebody has accessed our database. You do not have to do anything about it; we just thought we should tell you.' I wondered what the value was in that and what the cost was. The Commissioner of Taxation was not telling the constituent anything about the nature of the database breach, just that there had been a breach.

Mr Pilgrim : That goes to a very important point. One of the things that is a risk is notification fatigue. In introducing any scheme, we would want to make sure we avoided that. That is why we are looking at a concept of serious harm happening to an individual, because there can be inadvertent breaches within large organisations. I could use the example of some of the public reports that have come out of some of the larger government agencies where they quite appropriately and for good transparency reasons in their annual reports will say that they investigated a certain number of cases of inappropriate access to their databases. These could be as simple as someone, say, typing in an incorrect client number. A person in the office could type in an incorrect claim number and the wrong name would come up. Quite appropriately, that officer would then say, 'That is the wrong person,' and get out of that person's information. But the system still may show that they have accessed it. That is a case where nothing has been done with the person's file and I would say it is a very minor issue, and I would certainly not expect the individual to be notified in that sort of scenario.

Mr DREYFUS: I would like to move to another matter, Mr Pilgrim, and that is that you have heard me put to Mr Neave your suggestion that the Privacy Commissioner, your agency, is a more appropriate oversight agency. Again, I am not seeking to encourage a demarcation dispute here, but Mr Neave's function already includes oversight of the enforcement agencies. That is the Ombudsman's role. It has been for many years. Your role already includes oversight of privacy compliance by, I would suggest, the overwhelming majority of the service providers. There might be a few mum-and-dad operations that you do not have oversight of, but all of the others are already captured by the Privacy Act. Mr Neave has helpfully identified for us that in the bill in its present form there is no oversight role conferred on him in relation to service providers. It is purely an expansion of the existing role that the Ombudsman would have in relation to enforcement agencies. I wonder if you could speak to that. We have your written submission, but I would like you, to assist committee members, to speak to the proposition that you have expressed at paragraphs 125 to 127—which is our page 113—that the privacy commissioner, your agency, is an appropriate oversight agency for the purposes of this large additional requirement that has been placed on telecommunications providers to keep, as you have described it, vast amounts of data.

Mr Pilgrim : Certainly, and I think that from my long understanding of the Ombudsman's role over many years of working with them they do an extraordinarily good job in terms of their current responsibilities under the telecommunications interception act. And I have no doubt that, should this bill in its current form go up, they would be able to undertake as high-quality a role.

Mr DREYFUS: Yes, and I would not want you to take as an implication from my question—

Mr Pilgrim : No, I was not.

Mr DREYFUS: I am exploring this. It is not any criticism of Mr Neave or of the Ombudsman's role or of his office or his excellent staff. There is just a question here for this committee and for the parliament as to how to make sure. And we all seem to agree that we need additional oversight. It is how that oversight is best delivered. That is what I am exploring.

Mr Pilgrim : And I certainly did not take your comments as being criticism of the Commonwealth Ombudsman. It was more of a comment to show that we all got on very well and recognise the good work that we each do.

In terms of this, though, what I was looking at was probably trying to move away from what have been the traditional roles, if you like, of various integrity agencies within the Commonwealth and, more importantly, look at an issue that we are dealing with here in a broader sense, which is the impact of what new technologies can do by way of collecting information. And the whole concept of personal information and the flows of it is extraordinarily dynamic, and it is not constrained by boundaries; it is not constrained, as you would appreciate, by domestic or country boundaries, by jurisdictional boundaries. And certainly now, when we are looking at the flows of information even within Australia, it is not constrained by, as we are dealing with here, issues such as what a Commonwealth government agency might hold and a private sector agency may hold. The data flows quite smoothly and quite regularly between entities. And the changes to the Privacy Act that came into force early last year reflect that. We moved away from having one set of privacy principles to regulate Commonwealth government agencies, including the enforcement agencies, and a separate set of principles for the private sector. That was a regulatory burden, because it recognised that the flow of information moved between those entities much more than it had, say, 20 years ago—or more than 20 years ago, when the Privacy Act was written.

So, in putting forward this proposal, if we are going to have an oversight mechanism, the proposal basically is saying, 'Well, let's look at this in terms of how the information flows' and 'How can we make sure that there is an oversight agency that can follow and track that flow of information through holistically?' So, we start off with the point that the service providers, should this bill go through parliament and pass, will be required to collect certain types of data and retain them for certain periods of time. I already have jurisdictional oversight for those large telecommunications providers who will be holding the largest amount of that information. I have a raft of powers there that I can use to check on what is happening with that information. For example, as you would be aware, I can undertake complaint investigations if an individual believes something has been mishandled. I can commence investigations on my own initiative without a complaint to see if I believe that there is an activity going on that might be in breach of the act. I can also do what is now called performance assessments; we used to use the term 'audits'. So, I can go in and randomly audit those service providers to see how they are holding that data. And to support that I also have a raft of powers for remedial action. I can use more. I try to conciliate matters, complaints. Or I can use a formal determination power to require an organisation to remedy an individual complaint and now also remedy a large systemic breach. And in the case of very serious matters I now have the ability to go to the courts to seek civil penalties.

So, there is a raft of powers there for me to be able to do that bit of work to oversight that information. And in doing that it looks at the whole issue of the collection of the information and also how long those organisations are retaining it, and make judgements on that. Under other various parts of this process—for example, under the Telecommunications Act, section 309—I have the ability to go into those service providers and check their records to see whether they receive an appropriate authorisation from a law enforcement agency to access the data we are talking about here. So I already have that power to check on the service providers.

Where I am going with this story is that, if we wanted to follow it holistically, I think it would also be a benefit for me to have the authority to check that the law enforcement agencies are actually undertaking the appropriate consideration when they first seek to issue an authorisation to get that information. Then I could follow that process of requesting that information into the organisation that is collecting it, through to how it is holding it, through to how it may be disclosing it back to the law enforcement agencies; and, ultimately, whether that organisation has disposed of that information after the set period it is required to keep it. So it is looking more at the totality of the information flows, if I can put it that way, and giving one view of whether it is being handled in accordance with each of the different procedures and requirements. I hope that was not too longwinded a response.

Mr DREYFUS: No, no—that was helpful. You do not have oversight of ASIO?

Mr Pilgrim : No. The Privacy Act has always excluded the intelligence agencies.

Mr DREYFUS: Yes—and that is the same proposition for the Ombudsman.

Mr Pilgrim : That is correct. You have already spoken to the—

Mr DREYFUS: There is a fence around the intelligence agencies.

Mr Pilgrim : That is right. You have already spoken to the IGIS today, I believe.

Mr DREYFUS: Yes. I am really just making that clear for all concerned. Going to another matter, a matter that was raised with us this morning by the Australian Information Industry Association, the trade grouping for the large—I am trying to think of the right generic term—

Mr Pilgrim : I am familiar with them.

Mr DREYFUS: telecommunications companies. I will call them that. They raised a concern, and they are going to come back to us, about the reach of this bill in terms of whom the retention requirement is being imposed on. That is something that you have touched on at some length on page 16 of your submission and in your recommendation 5, which is on page 6—our pages 85 and 95. Again, I ask you to speak to what the problem is with the range of services it is intended be captured by proposed new section 187A. We got some clarity from the Australian Information Industry Association this morning, in particular saying that it was not clear that 'cloud' services, VoIP, would be captured by the act or whether it was even intended that they be captured. What do you see as the problem that needs clarification here, Mr Pilgrim?

Mr Pilgrim : I will admit that, like a lot of people, I think, I am struggling with some of the technology based issues around this whole debate. But the examples that were given this morning are ones that I think we would agree with. We are just not clear whether they do fall in necessarily to the services that it is proposed be covered by the bill. I think from a regulator's point of view, that is possibly a bit of a challenge because, if we are not clear about whether those services do fall in or not, it is hard to be sure whom or what services we are supposed to be regulating—if we are to take some of our more proactive regulatory roles that I have described or if in fact we are going to be, say, pursuing individual complaints about a matter. I do not know that I can actually expand more on the examples we heard this morning and the ones we have in our submission, but they are the sorts of issues that we are not entirely clear on and we think there could be a little bit more clarity around those particular services.

Mr DREYFUS: A related point is your proposition that the data that is required should be set out in the legislation, as indeed the period of retention should be. I take it from that—I am paraphrasing, so correct me if I have not got this right—that your view is that members of the public are entitled to know what data the Australian parliament has legislated telecommunications providers be required to keep and for how long; and that it ought to be possible, simply as a matter of the democratic contract, if we can call it that, for people to go and look at an act of parliament and see what providers are required to keep.

Mr Pilgrim : Yes, that is true.

Mr DREYFUS: As to your suggestion that there ought to be a sunset provision on this legislation, if it is enacted: is that effectively based on a concern that this is an intrusion into privacy; that there ought to be continuing review; that five years is long enough to work out how effective this scheme, if it comes in, has been, and how effective oversight measures have been; and that legislating for a review is better than an indefinite imposition of what is going to be quite an onerous requirement?

Mr Pilgrim : Yes. Without repeating exactly what is in my submission, I think that, firstly, those issues are important ones to warrant a sunset clause. I also think that, given the changing nature of technology, it may be that we just cannot tell at this point in time—while we have an idea of the services and the types of information that will be covered, the change in technologies and devices that we are using, we cannot, I think, predict; they seem to be changing so quickly. So there may be bits of information that may start being collected that we had not anticipated or devices that may be able to collect them that we had not anticipated, and we may need to review whether in fact this scheme is working or whether there is more information that is being collected than we had anticipated. And I think that, given the volume of information that is going to be collected, that, in itself, warrants very considered reconsideration of the application of any scheme that may go into place.

Mr DREYFUS: Here is another possibility—and God forbid that this should occur: that a combination of increased use of technologies like VPN, Tor and encryption means that there has ceased to be a purpose in keeping data. If that were to occur, that might also be a basis for reviewing a scheme that is requiring the collection and retention of a large amount of data.

Mr Pilgrim : It could well be; yes. That goes to my point about the changing of technology, and I used the word 'devices' but certainly those over-the-top services, for example, could also change the very nature of the information, whether it is actually stored or collected at all.

Mr DREYFUS: The final matter I want to go to is: in your opening statement, you mentioned the proposition that you have put forward that the purposes for which—and, perhaps to make this clear, we are now talking not about the retention requirement; we are talking about the purposes for which data that has been retained is able to be used. Your suggestion was that it ought to be limited to national security and serious crime, but you then went on to say that more recent advice from the Attorney-General's Department has suggested to you that that limitation might not be possible. Could you speak to that for us, as to where that prohibition on limiting the use comes from and how it might be dealt with? I think what you said was that, for more minor matters, for more minor offences, some additional level of safeguard might be appropriate.

Mr Pilgrim : I firstly must admit to not having had a lot of opportunity to turn our minds more to it than yesterday, because we picked up that reference in the Attorney-General's Department's submission to the committee only yesterday. Do you have the exact reference?

Ms Falk : Yes. The Attorney-General's submission at page 44 states that:

As a party to the Council of Europe's Convention on Cybercrime, Australia has international obligations to make access to telecommunications data available for the investigation of all criminal offences. Article 14(2) of the Cybercrime Convention requires parties to ensure that telecommunications data is available for the investigation of any criminal offence, not just serious offences.

My understanding of the Attorney-General's submission is that that would not limit their ability to confine the nature of enforcement agencies that have access to the data to those that are responsible for investigating serious crime, but it would constrain them from restricting the access to that data by those enforcement agencies to only investigating serious crime.

Mr DREYFUS: And, in the short time you have had, your thought was—which you have expressed to us in your opening comments, Mr Pilgrim—that perhaps some additional safeguards might be introduced for the use of telecommunications data for more minor crime?

Mr Pilgrim : And, if we could, I would be happy to take that on notice and probably give that a bit more thought and just spell out a couple of points about some thinking around that, rather than trying to do it on the run—

Mr DREYFUS: Through the chair, I think we would be happy to receive any additional comment you have, in writing, on that point.

Mr Pilgrim : Sure. I will do that.

Mr DREYFUS: Thanks very much, Mr Pilgrim.

Mr NIKOLIC: Mr Pilgrim, I am keen to explore your view that a year for data retention is sufficient, given the evidence that you have seen and that has been placed before the committee. Is that accurate?

Mr Pilgrim : Yes. What I said in my opening statement was that there seems to be evidence put to the committee that the majority of the accesses required for particular investigations were around six months and up to 12 months. That would seem to support a possible data retention scheme of around that period. I then went on to add that, obviously, the bill is proposing two years, and so I suggested there may be further evidence to support that but that I am not privy to that information.

Mr NIKOLIC: Indeed, you are not. At paragraph 37 of your submission, you state:

The evidence put forward by Australian enforcement and security agencies, including evidence provided to the Committee at the hearing on 17 December 2014, states that telecommunications data that is less than one year old is used in a large proportion of investigations.

You then go on to say:

Specifically, the Australian Federal Police … made submissions . about the central role that telecommunications data plays …

And then at paragraph 38 of your submission, you say:

However, the case for a longer data retention period is less clear.

So I went to the comments of Commissioner Colvin to this committee on 17 December. He said:

The proposed dataset reflects the minimum crucial categories of data necessary to support investigations into serious criminal activity … Further, the AFP firmly believes the proposed two-year retention period to be a reasonable and appropriate time. Law enforcement agencies can then be confident that providers will not have discarded relevant data and seek access in clearly prescribed circumstances.

Long-term complex investigations have demonstrated the critical importance of access to the historical telecommunications data.

Given that you refer to the 17 December evidence, there seems to be a disparity that I am keen to explore between what you have said in your submission and what the commissioner said to this committee on 17 December. If you do not consider his comments about a two-year period as influential or as constituting evidence, why not?

Mr Pilgrim : I am certainly not saying that it does not constitute evidence. Reflecting on those particular figures, what I was looking at was the number or, I suppose, the percentage of matters they said that they used the particular information for, or the age of those matters seemed to be suggesting a longer—

Mr NIKOLIC: Why is the percentage important? You have placed a quantitative judgement rather than a qualitative judgement on this. If only 10 or 20 per cent of cases have this long-term need and result in 10 or 20 out of the hundreds of cases that come forward and stop 10 or 20 counterterrorism or serious criminal offences, why do you do it on the basis of the quantity rather than the quality of outcome that arises?

Mr Pilgrim : I am certainly not saying it is not based around the quality of the outcome. Earlier, as I was answering one of the questions, I suggested there are going to be matters that can impact. One investigation could have a potential impact on hundreds or thousands of people, and that is extraordinarily important. I suppose working through this information, as we interpreted it, we went off certainly the quantitative information. I am happy to review that, but I do not think we had seen a lot of qualitative information coming through to equate it. There were a lot statements around certain types of investigations. I am not saying that we have necessarily interpreted it entirely accurately, but I do not think we saw—

Mr NIKOLIC: The commissioner then went on to say on the quantitative side:

… I can advise that telecommunications data has been used in 92 per cent of counterterrorism investigations, 100 per cent of cybercrime investigations, 87 per cent of child protection investigations and 79 per cent of serious organised crime investigations.

He goes on to talk about operations Neath and Pendennis and a number of other case studies. I guess my question is: you are adamant in your submission that there is only evidence to support one year and you have come with the recommendation that one year is sufficient, yet here is the person, the commissioner, who is actually at the operational and tactical end of conducting these investigations saying, not with any sort of equivocation but definitively:

,,, the AFP firmly believes the proposed two-year retention period to be a reasonable and appropriate time.


Long-term complex investigations have demonstrated the critical importance of access to the historical telecommunications data.

Yet there is no evidence of that included, even though you mentioned the AFP in your submission, and I just find that an interesting omission.

Mr Pilgrim : We certainly recognise the evidence that was given to the committee about the number of cases in which telecommunications data was essential for those investigations; what we were looking at, when we referred to those numbers, was the age of the information that had been requested and saw that the majority of the cases were for information that was less than a year old. So we were taking it from that perspective.

I would also like to mention that I certainly have not said that there should only be one-year data retention; I said the evidence as we have assessed it certainly supports a case for doing that, but we have not ruled out two-year retention because we are saying that there is evidence that we have not been privy to, and probably for good reasons in terms of national security and the like, that the committee itself will have to weigh up to see if it supports an argument for a longer retention period.

Mr NIKOLIC: You comment at paragraph 37:

… 90% of the telecommunications data obtained by ASIO is less than 12 months old.

Therefore, on the evidence, you are happy to go with a one-year data retention period—

Mr DREYFUS: Chair, I have to interrupt my colleague here. I do not find it helpful to the committee's deliberations, nor to the public's consideration of this matter, for Mr Pilgrim's evidence to be misrepresented here by Mr Nikolic. It is a real concern to me—

Mr NIKOLIC: How am I misrepresenting his evidence?

Mr DREYFUS: I will be direct: Mr Pilgrim has not told this committee, either in writing or in his oral evidence here today, that he favours one year, full stop.

Mr NIKOLIC: No, but he has—

Mr DREYFUS: And it is unhelpful for all this questioning to be proceeding on the basis that that is what he said.

Mr RUDDOCK: I think my colleague is trying to clarify what he was saying.

Mr NIKOLIC: Absolutely.

Mr DREYFUS: Well, he should do so without verballing the witness—

Mr NIKOLIC: I am not verballing the witness at all.

Mr DREYFUS: and without misrepresenting what his written submission says.

CHAIR: I think Mr Pilgrim is big enough and brave enough to be able to make his point.

Mr DREYFUS: I am trying to save time here, Chair.

CHAIR: Okay. He did make that point and I am sure he will be able to make it again.

Mr NIKOLIC: You say at paragraph 37:

… 90% of the telecommunications data obtained by ASIO is less than 12 months old.

Therefore, you have expressed, on the available evidence as you see it, a preference for a one-year data retention period. Logically, 10 per cent of cases would, therefore, not be covered under your preference.

Mr Dreyfus interjecting

Mr Pilgrim : What I have proposed in my submission is that I think, on the evidence before me—

Mr NIKOLIC: Listen, I—

Mr Pilgrim : that there is potentially a case for—

Mr NIKOLIC: Chair, with respect, I did not interfere with the Hon. Mark Dreyfus, QC when he was asking questions.

Mr DREYFUS: You did not have cause to.

CHAIR: I think what we need to do is let Mr Pilgrim answer the question.

Mr Pilgrim : Thank you, Chair. On the evidence before us, as I have interpreted the evidence provided by the law enforcement agencies, as you said, 90 per cent of the telecommunications data obtained by ASIO was less than 12 months old. On the basis of that, I said that there was possibly a case there to support a data retention period of 12 months, one year. What I then went on to say was that there may be additional evidence that is provided to this committee that we are not privy to—and I said there may be good operational reasons why we are not privy to that—that could support a longer data retention scheme. That, again, without wanting to sound arrogant or telling the committee how it should do its job at all, is information that the committee will need to weigh up and, therefore, use when it comes down with its report for whatever length of retention scheme there should be.

Mr NIKOLIC: I guess I am referring to not just evidence that is available to the committee in camera but evidence presented by the AFP commissioner on a date that you yourself refer to in your submission. I just wonder whether you find influential his definitive comment about the necessity of a two-year period. If you do not, that is fine, but I guess my question is: if not, why not? It is not just something that the committee is privy to but something which is on the public record on a date you refer to yourself.

Mr Pilgrim : The information which I based my submission around is the information that suggests that the bulk of the data that is sought by the law enforcement agencies is data that is under 12 months old. So that is what I formed my view on. Again, without wanting to be too repetitive, I accept that there may be other, stronger information and data available to the committee that may support a longer period of time, and it is the role of the committee to decide that.

Mr RUDDOCK: Or whether you think proportionality has some chance.

Mr NIKOLIC: Given that that is the AFP Commissioner's strong and deeply held view, presented to the committee and to the public on 17 December, shouldn't we err on the side of caution in terms of detecting and preventing crime? What harm is there then in having a two-year period, from your perspective?

Mr Pilgrim : The question comes back to some of the additional protections I have put into the submission. If the committee decides that it would recommend a two-year data retention scheme, if such a scheme goes before the parliament and is passed, I would hope that therefore there would be some of the additional protections put in place, because some of the issues go back to some of the matters we have touched on through Mr Dreyfus's questions around potential data breach and the loss of that information or the compromising of that information, and we need to make sure that there are additional protections in place.

Senator FAWCETT: In paragraph 62, as part of your additional protections, you said:

… further safeguards should include:

limiting the purpose for which an authorisation can be made to where it is reasonably necessary to prevent or detect a serious offence and safeguard national security

In the context of that additional protection, I am just wondering whether you have turned your mind to ASIC's submission and their request to be listed as one of the agencies in the legislation who have mandated access to the data?

Mr Pilgrim : I am not across ASIC's submission, and I would be happy to have a look at that and take that on board and give some comments on notice if you would like.

Senator FAWCETT: That would be good, thank you.

Mr BYRNE: In the lead-up to the drafting of the legislation was your office consulted by the Attorney-General's Department or the Technical Working Group?

Mr Pilgrim : Not by the Technical Working Group—I think that is correct. No, we were not by the Technical Working Group. I did have a couple of meetings with the department on a range of issues around the raft of bills, including the foreign fighters bill and the like, and we did discuss some aspects relating to this.

Mr BYRNE: When you say 'some aspects', could you elaborate on what you discussed?

Mr Pilgrim : To the degree that I requested meetings to discuss a number of issues around the tranche of three bills, as the data retention scheme became, I suppose, clearer before it was actually at the bill stage, I asked for a discussion around what some of the proposals were there. For example, I proposed a suggestion that there should be a privacy impact assessment done for the bill, and I am pleased to see that—

Mr BYRNE: Exactly. They have taken that on board.

Mr Pilgrim : a privacy impact assessment was done and attached to the Attorney's submission. Unfortunately it was not in their table of contents, but we saw it was there. So we did have discussions with the Attorney-General's Department. I would not necessarily describe them as consultations.

Mr BYRNE: Would you envisage a further role for yourself and your office in the implementation should this legislation be passed, other than what is being discussed in terms of privacy considerations—besides data breach notices and other matters?

Mr Pilgrim : Certainly. For example, as I have touched on, if there are to be regulations made, I would like myself or our office to be consulted as those regulations are developed, because I think we can provide a lot of useful advice given the experience our office has had over a number of years in handling this sort of information. Similarly, if there are changes to be made to regulations, as I suggested, there should be privacy impact assessments done on future changes, and I think our office can provide considerable advice and guidance in the undertaking of those privacy impact assessments.

Importantly, there has been reference made to security legislation to complement this particular bill. Our office again has recently issued a quite comprehensive set of guidelines which go to advising government agencies and private sector organisations about securing personal information, because it is a requirement of privacy principle 11 that all organisations take reasonable steps to protect the personal information they hold. As I said, we have issued just recently a revised set of those guidelines, which I believe would go a long way to assisting the development of any additional legislation to bolster the security protections around this information should it be required to be held.

Mr BYRNE: Did you detail your concerns about prescribing enforcement agencies by regulation to the Attorney-General's Department?

Mr Pilgrim : Not specifically, no.

Mr BYRNE: Is there any reason why you did not do that?

Mr Pilgrim : I think at the time of our last meeting we did not have a copy of the bill, which actually set that out. So it did not come up in discussion.

Mr BYRNE: But had you had that bill in front of you, you would have raised that as a concern?

Mr Pilgrim : If we had had the opportunity to have the bill earlier and to be able to work through that, yes we would have raised issues we had at that time.

Mr BYRNE: Did you raise the issue of exemptions to some carriers and service providers?

Mr Pilgrim : I cannot recall off the top of my head—Ms Falk was at the meetings—whether we specifically went to those issues in those preliminary or earlier meetings.

Ms Falk : My recollection is that there were some discussions around the kinds of service providers that would be covered by the bill and also the coverage of the Privacy Act in terms of the oversight of those entities but nothing further.

Mr BYRNE: So at what stage of the bill's drafting did you actually have this conversation or series of conversations or whatever it was that you had?

Mr Pilgrim : I would like the opportunity just to confirm—

Mr BYRNE: Of course.

Mr Pilgrim : not because of any other reason, but I would hate to mislead the committee. I do not think we had a copy of the bill prior to our last meeting on this issue with the department.

Ms Falk : I think we would have to confirm that.

Mr Pilgrim : We would have to check the timing of that.

Mr BYRNE: You were not given a copy of the bill or draft at any stage of the consultation process?

Mr Pilgrim : Again, sorry, but, if I could, I would like to confirm that to see when we did get the first copy of the bill.

CHAIR: Thank you for giving evidence at the hearing today. You will be sent a copy of the transcript of your evidence to which you may suggest corrections. If you have been asked to provide any additional material, please forward this to the secretariat as soon as possible. If the committee has any further questions, the secretariat will write to you.

Mr Pilgrim : Thank you.