73.36 The interception of, or access to, personal information by a law enforcement agency under the Telecommunications (Interception and Access) Act complies with IPP 1 where the collection is ‘lawful’ and ‘necessary for one or more of its functions or activities’. This also would be the case of the ‘Collection’ principle under the model UPPs.[54]

Stored communications

73.37 The Telecommunications (Interception) Amendment Act expanded the circumstances under which stored communications can be accessed to allow ‘warrantless’ access to stored communications. The Telecommunications (Interception and Access) Act allows for stored communications to be accessed without a warrant where one party to that communication has knowledge of the access.[55] A party has ‘knowledge’ where he or she has been provided with written notice.[56]

73.38 Professor Simon Bronitt, James Stellios and Kevin Leong submitted that this provision creates a regulatory loophole—officials are not required to obtain a warrant to access stored communications in cases where notification is given to one of the parties to a stored communication. It was argued that further consideration must be given to the significance and scope of notification, with careful evaluation of the reasonable expectations of privacy in relation to stored communications and the competing public interests.[57]

73.39 The fact that this provision allows for the invasion of privacy of many individuals, including non-suspect persons, is of concern. For example, a communication involving multiple participants (including non-suspects), such as an online bulletin board, could be accessed if one participant in that communication was given written notice of the access. As noted above, however, it is the ALRC’s view that the circumstances in which communications can be intercepted is an issue that is outside the scope of this Inquiry. This issue should be considered as part of the review of telecommunications legislation recommended in Chapter 71.[58]

Telecommunications data

73.40 Under s 180 of the Telecommunications (Interception and Access) Act, an authorised officer of a ‘criminal law enforcement agency’ must not make an authorisation to access prospective telecommunications data unless he or she is satisfied that the disclosure is reasonably necessary for the investigation of an offence against a law of the Commonwealth, a state or a territory that is punishable by imprisonment for at least three years. Section 180(5) of the Telecommunications (Interception and Access) Act provides that, before making the authorisation, the authorised officer must have regard to how much the privacy of any person or persons would be likely to be interfered with by the disclosure.[59]

73.41 Submissions to the Senate Committee Inquiry into the provisions of the Telecommunications (Interception and Access) Amendment Bill 2007 suggested that greater guidance was needed on how the privacy implications of an authorisation should be considered and documented under s 180(5).[60] In DP 72, the ALRC asked whether the Telecommunications (Interception and Access) Amendment Bill 2007 (as it was then known) should be amended to provide greater guidance in this regard.[61]

Submissions and consultations

73.42 A number of stakeholders supported the amendment of the legislation to provide greater guidance on how the privacy implications of an authorisation should be considered and documented.[62]

73.43 The Law Council of Australia submitted that the requirement to ‘have regard to’ a person’s privacy under s 180(5) is likely to receive little more than ‘lip service’, based on experience with the Surveillance Devices Act 2004 (Cth),which contains a similar provision.[63] The Law Council submitted that s 180(5) should be amended to express in clear terms the test to be applied. The Law Council suggested the following formulation:

Before making the authorisation, the appropriate authorising officer must be satisfied on reasonable grounds that the likely benefit to the criminal investigation which will result from the disclosure substantially outweighs the extent to which the disclosure is likely to interfere with the privacy of any person or persons.[64]

73.44 Other stakeholders did not agree that further guidance was needed. [65] The AGD noted that s 183 provides that an authorisation must comply with the requirements determined by the Communications Access Co-ordinator, who must consult with the Privacy Commissioner before making such a determination. The AGD submitted that the initial determination to be made under this section will include guidance to agencies on how to determine the impact on privacy.[66]

ALRC’s view

73.45 Greater guidance should be provided about how the privacy implications of an authorisation are to be considered and documented under s 180(5) of the Telecommunications (Interception and Access) Act. The ALRC notes that a determination is to be made under s 183 of the Telecommunications (Interception and Access) Act that will address this issue. The determination should ensure that the issue of privacy is addressed directly and transparently in the authorisation process. This will avoid the situation where an authorising officer could just ‘tick a box’ to indicate that he or she has considered privacy issues.

[54] See Ch 21.

[55]Telecommunications (Interception and Access) Act 1979 (Cth) s 108(1)(b).

[56] Ibid s 108(1A).

[57]S Bronitt, J Stellios and K Leong, Submission PR 213, 27 February 2007. See also I Graham, Submission PR 427, 9 December 2007.

[58] Rec 71–2.

[59]Telecommunications (Interception and Access) Act 1979 (Cth) s 180(4)–(5).

[60] Parliament of Australia—Senate Legal and Constitutional Affairs Committee, Telecommunications (Interception and Access) Amendment Bill 2007 (2007), [3.34]–[3.37].

[61]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 63–2(b).

[62]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; I Graham, Submission PR 427, 9 December 2007; Police Federation of Australia, Submission PR 385, 6 December 2007.

[63]Surveillance Devices Act 2004 (Cth) s 16(2)(c).

[64]Law Council of Australia, Submission PR 527, 21 December 2007.

[65]Australian Federal Police, Submission PR 545, 24 December 2007.

[66]Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.