Industry obligations

Under Australia’s electronic surveillance framework, certain telecommunications and other providers have obligations to provide specified kinds of assistance to law enforcement and national security agencies. As part of their obligations, industry must maintain capabilities to intercept communications, must retain telecommunications data and must preserve stored communications when legally requested. 

Telecommunications carriers must also report to us each year on their interception capabilities.

Industry obligations

Section 313 of the Telecommunications Act 1997

Commonwealth, state and territory officers and authorities may ask carriers and carriage service providers to provide reasonable assistance, as set out under section 313 of the Telecommunications Act 1997 (Telecommunications Act).

The starting position is that providers should be compensated for the reasonable costs of helping these authorities.

Data retention

Under the Telecommunication (Interception and Access) Act 1979 (TIA Act), telecommunications service providers, such as carriers, carriage service providers, and internet service providers that use telecommunications infrastructure in Australia to operate any of their services may be subject to telecommunications data retention obligations.

Telecommunications data is the information about a communication but not the content or substance of a communication. For example, telecommunications data includes:

  • For telephone calls – the telephone number of the people talking to each other, and the duration of the conversation but not what was said.
  • For emails – the relevant email addresses and when it was sent but not the subject line of the email or its content.

The data retention obligations require the telecommunications service providers noted above to retain specific telecommunications data (the data set) relating to the services they offer for at least 2 years. Some subscriber information (a category of data in the data set) must be retained for the life of the account and for a further 2 years after the account is closed.

The retained data must be encrypted and protected from unauthorised interference and access.

Read more about what telecommunications data is needed to be kept under section 187AA of the TIA Act.

Read more about the safeguards on the access to telecommunications data under the TIA Act.

Privacy

Telecommunications data retained by service providers under the TIA Act is considered personal information for the purposes of the Privacy Act 1988. The Privacy Commissioner assesses industry's compliance with the Australian Privacy Principles for retained data (and more broadly) and monitors industry's non-disclosure obligations under the Telecommunications Act.

Guidelines on the operation of the mandatory data retention regime TIA Act

To help explain how the data retention regime works, we have prepared guidelines on telecommunications data under the TIA Act.

We developed these guidelines in consultation with industry and law enforcement, national security, oversight and integrity agencies. They should be read together with the relevant provisions of the TIA Act and are not a substitute for legal or other professional advice.

We will regularly review these guidelines to reflect continuing engagement with stakeholders and update them as needed.

Read the guidelines on the application of the TIA Act.

Interception capability plans

Under the TIA Act, carriers and carriage service providers must have the capability to intercept a communication passing over their system in keeping with a warrant issued under the TIA Act.

A carrier is a business that is licensed to own or operate telecommunications infrastructure in Australia (see Part 3 of the Telecommunications Act). 

A carriage service provider is a business that supplies telecommunications services to the public using a carrier’s infrastructure (see Part 4 of the Telecommunications Act).

Carriers and nominated carriage service providers must lodge an interception capability plan with the Communications Access Coordinator by 1 July each year. 

It must set out how they can help law enforcement and national security agencies with lawful interception of telecommunications services they offer.

Under section 201 of the TIA Act, whenever a provider’s business plans change enough that the interception capability plan no longer adequately describes a service’s interception capability, they must prepare and submit a new interception capability plan to the Office of the Communication Access Coordinator (OCAC) as soon as possible.

Carriage service providers that have not been nominated under the TIA Act do not have to submit plans.

For providers: to request more information, including an interception capability plan template, email OCAC on cac@ag.gov.au.

Part 15 of the Telecommunications Act 1997

Under the industry assistance regime in Part 15 of the Telecommunications Act, law enforcement and national security agencies can seek assistance from designated communication providers (DCPs) to address technical obstacles to investigations into serious crime and national security threats. A DCP includes services that sit ‘over the top’ of the telecommunications network such as Gmail, Messenger, and SnapChat.

While we have policy responsibility for Part 15 of the Telecommunications Act, the Minister for Communications (with support from the Department of Infrastructure, Transport, Regional Development, Communications and the Arts) is responsible for administering the Telecommunications Act.

The industry assistance framework features a graduated approach for law enforcement and national security agencies to request assistance from DCPs. There are 3 types of notices:

  • Technical Assistance Request (TAR), which provide for voluntary assistance if the DCP is willing.
  • Technical Assistance Notice (TAN), which compel the DCP to provide assistance where the DCP already has the existing technical capability to do so.
  • Technical Capability Notice (TCN), which compel the DCP to build a technical capability to assist law enforcement and national security agencies. The Attorney-General must agree to give a DCP a TCN.

Limits on use of the industry assistance framework

There are some key limits to requests or requirements made under the framework. These include:

  • requests must not require a DCP to build or implement a systemic weakness or vulnerability that affects a whole class of technology
  • requests must not require a DCP to do things for which the requesting agency would otherwise require a warrant or authorisation, and
  • a TCN must not require the construction of an interception capability or a data retention capability.

Costs to comply with the industry assistance framework

The starting position is for DCPs to be compensated for the reasonable costs of complying with a request or notice. DCPs and agencies typically negotiate the terms for providing any voluntary assistance under a TAR. By default, complying with a TAN or a TCN is cost recoverable on a no-profit-no-loss basis. In limited circumstances, and only when it is in the public interest, a DCP can be made to comply without compensation. This exception cannot be exercised until a decision maker considers the regulatory burdens and the effect on competitiveness, amongst other things.

Administrative guidance

To support cooperation between agencies and the communications and technology industry, we have developed administrative guidance for agency engagement with designated communications providers. This ensures agencies and industry have a clear understanding of their rights, obligation and expectations under the industry assistance framework.

The guidance covers:

  • a step-by-step breakdown of the process and requirements for the TARs, TANs and TCNs
  • engagement between agencies and providers
  • considerations for cost assessments
  • information sharing and disclosures
  • disagreement, compliance and enforcement, and
  • oversight arrangements, transparency and independent scrutiny.

In preparing the guidance, we engaged with relevant Commonwealth, state and territory agencies, oversight bodies, and a range of industry organisations and bodies.

We will continue to revisit and update the guidance with feedback from agencies and industry. Contact the OCAC on cac@ag.gov.au for more information.

Exemptions and variations

If a carrier or service provider believes they should be exempt from, or have their data retention or interception obligations varied, they may apply to the OCAC for consideration. 

The OCAC will consider exemptions and variations on a case-by-case basis in accordance with the TIA Act and are confidential in nature.

Read the guidance material on exemptions.

For more information on the data interception and retention obligations, including application templates and guidance material, contact OCAC via email on cac@ag.gov.au.

Note: Carriers and nominated carriage service providers must still lodge an interception capability plan, even if they have been granted an exemption or do not offer any services. 

For more information about carrier licences, visit the Australian Communications and Media Authority.

Office of the Communications Access Coordinator

The OCAC is the central liaison point between the telecommunications industry, and law enforcement and national security agencies regarding the obligations in the TIA Act, particularly interception capability and data retention obligations.

One of OCAC's main roles is to help members of the telecommunication industry understand and comply with their obligations under the TIA Act.

To contact the OCAC: