Sussan Ley (Farrer, Liberal Party, Shadow Minister for Justice and Customs) Share this | Hansard source

I am pleased to speak on the Telecommunications (Interception and Access) Amendment Bill 2009. This bill will amend the Telecommunications (Interception and Access) Act 1979, the T(IA) Act, to implement a full legislative solution that clarifies the basis on which communications can be accessed for the purposes of protecting a computer network. In order to give this bill and its proposed amendments some context, I would like to quote from the discussion paper and exposure draft legislation produced by the Attorney-General’s Department in July of this year. I would also like to reflect on some remarks within the EM to the bill.

Increasingly, the use of online services by individuals, governments, business and the not-for-profit sector means that sensitive information is regularly transmitted and stored electronically. I think it is fair to say that there has been an absolutely exponential boom in the online storage of progressively more and more sensitive information. Accessing or disrupting the carriage of this information can provide significant financial and other benefits for criminal elements. Protecting information and computer infrastructure from malicious attack is a key concern for governments and for the growing number of computer network owners, whose networks hold and transmit such information.

In 2008 the Australian Bureau of Statistics reported that, between June 2006 and June 2007, 86 per cent of all businesses reported that they used the internet, one-third of all businesses reported that they had a web presence, 40 per cent of all businesses reported they had placed orders via the internet and just over one-fifth of all businesses reported they had received orders via the internet. Businesses estimated that approximately $68 billion was generated by these orders, or 3.5 per cent of total income from the sales of goods and services. The ABS has reported that as at December 2008 there were almost eight million subscribers to the internet in Australia. Of these, 1.3 million were businesses and government subscribers and 6.7 million were household subscribers.

As sectors of the community become more and more reliant on internet technology to relay and store sensitive information, the potential grows for people, including organised crime and terrorist groups, to harm individuals and organisations through malicious access to such information. Accordingly, protecting sensitive information from these attacks is something that we in this parliament should be holding front and centre of our concerns. I am pleased to say that the coalition support the Telecommunications (Interception and Access) Amendment Bill although, as we did with the previous bill of this type, we foreshadow amendments pending the recommendations of the committee to which this bill has been referred.

The A-G’s Department developed a proposal to amend the T(IA) Act to allow all owners and operators of computer networks in Australia to undertake activities to protect their networks. A draft proposal was set out and submissions were received, and I thought that the public comment was very valuable indeed.

The actual substance of the bill, as I said, seeks to amend the T(IA) Act to enable the owners and operators of computer networks to undertake activities to operate, maintain and protect their networks; to enable Commonwealth agencies, security authorities and eligible state authorities to ensure that their networks are appropriately used by employees, office holders or contractors of the agency or authority; and to limit secondary use and disclosure of information obtained through network protection activities and require the destruction of records obtained by undertaking network protection activities when the information is no longer required for this purpose.

As noted in the bill’s explanatory memorandum, the increase in online services by individuals, governments and businesses is what has generated the need for these amendments, as well as the increasingly apparent use of criminal syndicates who exploit weaknesses in the carriage of information across the world. We should note that not all network protection activities are currently lawful under the Telecommunications (Interception and Access) Act. Whether an activity is lawful depends on the particular characteristics of the activity that is undertaken, where and by whom it is undertaken and whether or not there is an awareness by the affected person that the activity is being done. An example of this would be someone who is undertaking network protection activities. They may need to copy a communication before it is delivered to the intended recipient but, under the T(IA) Act as it now stands, copying is only allowed at certain points in the delivery of that communication and under certain conditions. This means that network owners and operators are vulnerable to inadvertently breaking the law prohibiting interception. The T(IA) Act currently includes special exemptions that enable interception and security agencies, as well as certain government departments, to access communications on their own computer network for network protection activities. However, these provisions are not permanent; rather, they were intended to operate on an interim basis while a comprehensive solution covering both the public and private sectors was developed. So these provisions cease to have effect after 12 December 2009.

The current bill before the House will also improve the effectiveness of the Australian telecommunications access regime by extending the evidentiary certificate regime to lawful access to telecommunications data authorised under chapter 4 of the Telecommunications (Interception and Access) Act and allowing the managing director or the secretary of a carrier to delegate their evidentiary certificate functions; by clarifying that lawfully intercepted information can be used, communicated and used in proceedings by the Australian Federal Police in applications for interim and final control orders and initial and final preventative detention orders under divisions 104 and 105 of the Criminal Code Act 1995; and by making consequential amendments to reflect amendments to the Police Integrity Commission Act 1996 of New South Wales in relation to the investigation of the corrupt conduct of an administrative officer of the New South Wales Police Force or the misconduct of an officer of the New South Wales Crime Commission.

As mentioned in the explanatory memorandum, the bill ensures that all legitimate activities in relation to protecting computer networks—whether it is the infrastructure or the information stored or transmitted by them—which are undertaken by network administrators in either the government or non-government sectors do not inadvertently constitute an offence under the T(IA) Act. However, the new provisions do not make such activities compulsory. Utilising the provisions in relation to network protection remains at the discretion of the owner or operator of the network.

As with all measures that seek to protect us, and in this case protect us from a vast range of information being exposed to criminal networks, the issue comes down to a person’s right to know, a person’s ability to use information that they acquire in the course of protecting a network and the privacy of the individual concerned. I note that the Office of the Privacy Commissioner, in making a submission to the Senate Standing Committee on Legal and Constitutional Affairs, has a number of suggestions aimed at enhancing aspects of the bill. I note those because I think they well illustrate the tension in a debate of this nature. Those recommendations are that the bill could provide additional guidance on the operation of the provisions to assist organisations to train authorised persons in respect of what action is lawfully permitted to be undertaken under the scheme. Any exceptions permitting secondary uses or disclosures should be well defined. So these exceptions should align with community expectations and be based on clearly articulated public policy reasons—that is, if you proceed to use, for secondary purposes, information that is acquired in the course of protecting a network. In clause 15, regarding misuse of the computer network, the bill should clarify that disciplinary action applies to activities that pose a risk to network security only. Consideration could be given to including in the bill a provision to allow individuals access to intercepted communications that relate to them, to be modelled on national privacy principles in the Privacy Act. The Office of the Privacy Commissioner also suggests that all intercepted records of a communication, whether the original or a copy obtained for the purpose of network security, should be destroyed when no longer needed for that purpose. That strengthens the requirement to destroy information.

As I noted, the bill was referred to the Senate Standing Committee on Legal and Constitutional Affairs on 17 September and it is due to report by 16 November. While the coalition supports the bill, we foreshadow the possibility of amendments in the Senate pending the committee’s recommendations.

See this speech in context