Law enforcement and national security obligations
CSP obligations are:
to give officers and authorities of the Commonwealth, States and Territories reasonably necessary assistance in relation to the enforcement of criminal law and laws imposing a pecuniary penalty, protecting public revenue and safeguarding national security;
to do their best to prevent their network and facilities being used in the commission of offences against the laws of the Commonwealth, or of the States and Territories; and
to ensure their network or facility is able to intercept a communication passing over it, in accordance with a warrant issued under the Telecommunications (Interception and Access) Act 1979 (the TIA Act).
A CSP includes an internet service provider (ISP).
Part 13 of the Telecommunications Act 1997 (the Act) makes it an offence for an CSP and its employees to use or disclose any information or document which comes into its possession in the course of its CSP business, where the information relates to:
the contents or substance of a communication carried by the CSP (delivered or not); or
carriage services supplied, or intended to be supplied, by the CSP; or
the affairs or personal particulars of another person.
When can an ISP disclose customer information?
Exceptions to the prohibition on disclosure of customer information include:
where the disclosure is reasonably necessary for the enforcement of the criminal law or the protection of the public revenue (see below);
where the disclosure is made to ASIO for the performance of its functions;
where the disclosure is required or is otherwise authorised under a warrant or under law.
How do agencies request customer information?
Part 13 Telecommunications Act requests
Part 4 of the TIA Act requests
warrants (either interception or general search)
notice authorised by, or under, law
Access by agencies to the content of an internet communication in transit will amount to an interception and can only be authorised under the Telecommunications (Interception) Act 1979.
Authorisations for disclosure of existing and prospective information or documents
Chapter 4 of the TIA Act allows for lawful access to telecommunications data by ASIO, officers and authorities of the Commonwealth, States and Territories (law enforcement and national security agencies) in relation to the enforcement of criminal law and laws imposing a pecuniary penalty protecting public revenue and national security.
Law enforcement and national security agencies may authorise disclosure of existing and prospective information or documents.
For disclosure of prospective information (i.e. information that came into existence during an authorised disclosure period), a higher level of authorisation (by ASIO) or further justifications by (criminal law enforcement agencies) is required.
Details of the procedural requirements relating to authorisations are provided in Part 4-2 of Chapter 4 of the TIA Act.
The authorisation period for prospective information or documents is 90 days for ASIO and 45 days for law enforcement agencies respectively.
All authorisations, notifications and revocations must be in writing-signed by its maker or in electronic form-stating the unique identifier.
A warrant may be used to access other customer information, including stored communications (see below). Agencies may choose not to use the warrant process if the information may be requested by other means.
Record keeping and reporting requirements
CSPs (including ISPs) must keep records of all disclosures made under Part 13 (of the Act and Division 4 of the TIA Act) for each financial year and lodge those reports with the ACMA within 2 months of the end of that financial year. The section 308 report form for reporting disclosures is on the ACMA website.
CSPsmust give reasonable help to agencies on terms and conditions agreed by the agency and the CSP, and on the basis that the CSP neither benefits from, nor assumes the costs of, giving that help.
Can an CSP be liable in civil proceedings for customer information disclosure?
Section 313 of the Act provides that a carrier or CSP is not liable for damages for an act done or omitted in good faith to give reasonably necessary assistance to officers and authorities of the Commonwealth, States and Territories.