[AusNOG] (Abuse of) mandatory data retention information.

Paul Wilkins paulwilkins369 at gmail.com
Wed May 2 11:08:45 EST 2018 

The responsibility is going to lie with company directors. So either they
do their own due diligence, or engage a lawyer before that interesting
discussion with Attorney General's over whether the police can access data
retained under the Data Retention provisions, without a judicial warrant.
My take is that the judge issuing the warrant is responsible for ensuring
the officer requesting the warrant is duly authorised.

I am not a lawyer. This is not legal opinion.

Kind regards

Paul Wilkins

On 2 May 2018 at 10:45, Ross Wheeler <ausnog at rossw.net> wrote:

>
>
> On Wed, 2 May 2018, Paul Wilkins wrote:
>
> Ross,
>> I recall vaguely when this was first posted. I'm sceptical whether AG
>> would have advised to just hand the data over, as doing so ironically
>> enough breaches the Data Retention Act:
>>
>> 187BA Ensuring the confidentiality of information
>> A service provider must protect the confidentiality of information
>> that, or information in a document that, the service provider must
>> keep, or cause to be kept, under section 187A by:
>> (a) encrypting the information; and
>> (b) protecting the information from unauthorised interference
>> orunauthorised access.
>> ...
>> 187LA Application of the Privacy Act 1988
>> (1) The Privacy Act 1988 applies in relation to a service provider, as if
>> the service provider were an organisation within the meaning of
>> that Act, to the extent that the activities of the service provider
>> relate to retained data.
>>
>> In my non legal, non expert opinion, access to retained data (by ordinary
>> police, not the intelligence agencies) would be either under or
>> compatible with the Telecommunications (Interception and Access) Act 1979.
>>
>
> Yes, that may be the words, but I am also quite aware that at the time
> (and indeed subsequently) there has been a great deal of uncertainty within
> at least parts of the industry, exactly what constitutes a duly authorised
> person.
>
> I recall there being a request by parts of the industry for a "register or
> list of people permitted to make requests", but that never happened. The
> fact that a minister could appoint people with no requirement to advise
> industry who was or wasn't appointed at any given time, combined with
> penalties for either:
>  * providing information to someone NOT authorised
>  * failing to provide information to someone who IS authorised
> meant it was a precarious position for ISPs to be in.
>
> I've never been asked for any data, so I've not had to seek confirmation,
> but I believe there was a blanket statement made that if an ISP were in
> doubt about a request, they should contact the AG for clarification. That,
> I believe, is what the friend-of-my-friend did. I feel the cavalier "give
> it to him" response reported by the AG, with a "the audit will catch it"
> (after the event, if anyone ever bothers) line as some sort of "protection"
> to be highly inappropriate - especially in the case where the person being
> asked for the data had a "reasonable doubt" that it was being used
> appropriately.
>
> The whole thing stinks from top to bottom, but then we all knew that
> before it was even introduced.
>
> R.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180502/2da662b8/attachment.html>

More information about the AusNOG mailing list