Two government departments copped a beating from the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Friday over extensive gaps in their oversight of Australia's mandatory data retention laws.

The Department of Home Affairs (DHA) in particular came under sustained attack from Labor's Anthony Byrne, a former chair of the committee, for what he called a "cavalier disregard" for the limits on who can access this "intrusive information".

The key problem was that no one seems to know which state-level or civil society organisations can access metadata without a warrant, nor the range of investigations it can be used for.

Under section 280 and section 313 of the Telecommunications Act 1997, telcos must give assistance to a huge range of organisations for purposes such as "enforcing the criminal law and laws imposing pecuniary penalties" and "protecting the public revenue".

This assistance can include the provision of stored metadata. It's a separate regime from the warrantless access provided to 21 law enforcement and intelligence agencies under the Telecommunications (Interception and Access) Act 1979, or TIA Act.

A survey conducted by the Communications Alliance showed that metadata has been provided to organisations as wide-ranging as local councils, the RSPCA, and even the Victorian Institute of Education.

"Our committee in its various iterations was told in 2012, 2013, 2015, and 2016 that they will be doing everything within their power to limit the number of organisations that could access this metadata," Byrne said.

He blasted DHA's Hamish Hansford, first assistant secretary for National Security and Law Enforcement Policy, saying that PJCIS had been told if the metadata laws were passed, section 280 access would be stopped. This has happened, however.

"What you've just said today, basically says it hasn't been stopped. And worse than that, you've known about it, you've done nothing about it. You didn't come to the committee and say this is a problem, we have to find out by third parties," said a visibly angry Byrne.

"So for me to hear you effectively say that you're not quite sure how many organisations can access this metadata ... If you are me and you're listening to what I've just listened to, which is a cavalier disregard for people accessing intrusive information, which this Parliament had to fight years for, how do you think I feel about that?"

Hansford's response was that there is in fact "comprehensive reporting" and "clear governance arrangements" for the 21 authorised agencies under the TIA Act.

"What we're talking about in the Telecommunications Act is about data access, not related to the data retention regime," Hansford said.

"It's a general access power, as opposed to all the safeguards that this committee recommended, and the parliament eventually legislated for, which is outlined in the TIA Act," he said.

"So I think the concern that you have is in relation to access to data rather than the data retention regime in the 21 agencies. And I think there is a big, distinct difference."

Byrne would have none of it. He shut down Hansford's arguments, telling him it was his job to raise concerns and come up with solutions such as coordination with the states through the Council of Australian Governments (COAG).

"I haven't finished and you listen and I talk, this is the way this goes. And when I ask you questions you respond, that's what you do. That's what we're here for as a committee," Byrne said.

"You've indicated to me that you're not seriously wanting to address the issue. I'm extremely annoyed about the issue, and I'll pursue it in another forum," he said.

"Park it. Park it. I don't want to hear any more from you ... That's it. I'm done. Don't talk."

Shadow Attorney-General Mark Dreyfus also explored the issue with Jennifer McNeil, first assistant secretary of the Communications Infrastructure Division of the Department of Infrastructure, Transport, Regional Development and Communications.

"Does anybody know -- this is my question to all of you -- does anybody know how many authorised agencies for telecommunications information have been made in reliance on section 280 and some other law? This year, or last year, or the year before?", asked Dreyfus.

"We will take that on notice I'm afraid," McNeil replied.

McNeil said there is currently no central database to track state and civil use of retained metadata, as well as no federal knowledge of the laws that might have been used in conjunction with section 280.

"I don't know whether there [is] reporting in state transparency mechanisms and any reports. I don't know that for sure," she said.

Dreyfus had previously said in 2017 he would raise the issue of section 180 powers with the PJCIS.

"To get a direct response from the government, the shadow attorney-general will write to the attorney-general to establish the full facts of the matter," a spokesperson said at the time.

The PJCIS heard evidence as part of its review of the mandatory data retention regime.

The committee also heard that DHA has no national guidelines for what constitutes as metadata access that is "reasonably necessary" for an investigation.

Could telco metadata be retained for more than two years?

Both DHA and the Australian Security and Intelligence Agency (ASIO) flagged that a data retention period of more than two years would be useful.

"We have some espionage investigations that actually have been running for many decades," said ASIO director-general Mike Burgess.

One long-running case concerned a foreign scientist who had access to Australian government clearance-holders for more than 10 years.

"[These were] people with access to Australian government secrets," Burgess said.

"Thanks to retained data, we managed to identify some of the scientist's contacts for some of the time they were in Australia. From that information, we were then able to investigate the harm the scientist caused to Australia, specifically their access to classified material over the previous 10 years."

Hansford noted that a longer data retention period could help solve more crimes and that some nations retain data for much longer -- up to six or seven years in some cases.

"The Italian government and the Italian police obviously find it of benefit to have the data retention period for six years given the complex world they live in, particularly with some organised crime groups," he said.

State police chiefs have proposed data retention for up to seven years.

The newly-appointed commissioner of the Australian Federal Police (AFP), Reece Kershaw, agreed that a longer retention period would be desirable, but said the exact length would be a matter for discussion with Home Affairs.

Metadata requests now up to 655,588 a year

Section 280 powers "authorised by or under law" were used 8,432 times in 2018-2019, down from 11,976 in 2017-2018, according to the Australian Communications and Media Authority (ACMA) Communications Report [PDF] released on Thursday.

"Law enforcement agencies (civil and criminal) must be satisfied that the information they request is reasonably necessary to perform their law enforcement functions," ACMA wrote.

The total number of data disclosures under the TIA Act were 655,588 in 2018-2019, up from 563,670 in 2017-2018.

In those 2018-2019 figures were 508,386 provisions of data to enforce the criminal law; 2,269 to locate missing persons; 1,321 for "enforcement of a law imposing pecuniary penalty or protection of the public revenue"; and 35 for the enforcement of the criminal law of a foreign country.

There were also 143,466 authorisations for "access to prospective information or documents", which is metadata for future events, and another 10 prospective requests for foreign law enforcement.

The PJCIS is due to report on mandatory data retention by April 30.

In a separate review, the Independent National Security Legislation Monitor (INSLM) is looking at Australia's controversial encryption laws, contained in the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 or TOLA Act.

INSLM is due to report to PJCIS by June 30, and the final PJCIS report is due by September 30.

Related Coverage