Telcos could charge individuals to access their own metadata

Telecommunications companies and internet service providers should charge individuals to access their own metadata retained under the Government's planned data retention scheme, a report into the bill recommended.

The parliamentary joint committee on intelligence and security made the recommendation  in its report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 [pdf].

The report gave broad support for the two-year retention scheme, which would see a prescribed set of data retained on individuals by their telecommunications provider in an effort to aid law enforcement in fighting crime.

The committee made 43 recommendations - including that a mandatory data breach notification scheme be introduced before the end of the year  - covering how metadata should be defined and who should be able to access the data, among other things.

It also said individuals should be able to access the telecommunications data retained on them by their service provider as part of the regime.

Telcos and ISPs should similarly be able to recover their costs for providing such access, the committee said - meaning customers would be charged a fee for access to their stored data.

"Individuals should have an unambiguous right to access their personal telecommunications data retained under the mandatory data retention regime," the PJCIS wrote.

"The committee notes that telecommunications service providers are currently able to recover the cost under the Privacy Act 1988 and considers that this model should apply to these arrangements."

The recommendation was made after feedback from the Privacy Commissioner Timothy Pilgrim and the Law Council of Australia.

Pilgrim pointed to Australian Privacy Principle 12, which states organisations governed by the Privacy Act holding personal information about an individual must, on request, hand over that information to the individual.

The Law Council of Australia similarly highlighted the importance of allowing ISP and telco customers to access their own stored metadata, arguing individuals should be given the same access as a law enforcement agency in order to establish a defence or understand evidence against them.

However, the telecommunications industry had argued against such an approach, claiming it would drive up costs that wouldn't necessarily be able to be recovered.

"Providing this information to customers is not the same as providing information to authorised enforcement agencies and would involve additional costs, for example in verifying a customer’s identity and redacting information on incoming calls to protect the privacy of other individuals," Telstra wrote in its earlier submission to the committee.

"There is a fundamental difference between responding to a reasonably precise and limited request from agencies for information to dealing with blanket requests for all personal information about an individual."

The Communications Alliance similarly raised concerns on behalf of the industry of the financial impost of allowing individuals access to their metadata.

"The size and cost of the task for a CSP [communications service provider] to pull together and make available all the metadata relating to an individual should not be underestimated," the Comms Alliance informed the committee.

"The prospect of potentially millions of Australians making such requests to CSPs is little short of frightening.

"Such a scenario would generate enormous expense and resource demands on CSPs, for no clear or positive outcome. CSPs would need to create purpose-built security and management systems to meet the additional demands imposed on them by this new requirement."

The Government is expected to table its response to the recommendations in the report next week.