Telco 2-Year Metadata Retention Rule (TIA Act Part 5-1A)

Statutory basis

Australia’s mandatory data retention regime is established within the legislative framework of the Telecommunications Interception Access Act data retention. Specifically, Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (TIA Act) details the requirements.

The current form of Part 5-1A was introduced via the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. This amendment inserted the relevant provisions into the TIA Act.

Section 187A of the TIA Act mandates that service providers—including carriers, carriage service providers (CSPs), and internet service providers (ISPs) operating in Australia—must retain specified information, or documents containing it, for a minimum period of 2 years.

Categories of data to be retained

Section 187AA details the specific types of telecommunications data subject to the retention requirement. Six distinct categories are outlined, ensuring a comprehensive record of communications activity. These categories are mandated for retention by telecommunications providers.

The data categories encompass subscriber information, including account details and device specifics. They also include details of communication origins and destinations. Further categories cover the timing and length of communications, alongside the type of service used.

Finally, the required data includes information relating to the location of equipment and lines involved in facilitating communications. These six categories collectively define the scope of data retention obligations under the TIA Act Part 5-1A.

What is and is not retained

The data retention regime requires telecommunications service providers to retain specific metadata relating to communications. This includes details generated by the use of a telecommunications service, but crucially, does not extend to the contents or substance of a communication. This distinction is clarified in section 187A(4) of the legislation.

Notably, information about a person’s web-browsing history is excluded from the data to be retained. Section 187A(4)(b) confirms that URL or destination web addresses are not subject to this requirement. The focus is on connection and device data, not the content being accessed.

Retained data is subject to strict security requirements. Section 187BA mandates that the data be encrypted and protected from unauthorised interference or access. Service providers may also be eligible to apply for an exemption or variation under sections 187K or 187KA, contingent upon the existence or previous implementation of a data retention implementation plan.

Access and oversight

Access to retained metadata is strictly controlled. It may only be accessed by criminal law enforcement agencies listed in section 110A, using an authorisation. ASIO may also access the data, but under separate provisions.

Specific protections apply to journalist information. An agency must obtain a warrant under Division 4C before authorising access to data to identify a journalist’s source.

Compliance with access provisions is overseen by the Commonwealth Ombudsman, who provides an annual report to Parliament. Independent statutory reviews of the data retention regime are also conducted by the Parliamentary Joint Committee on Intelligence and Security.