Data retention should stretch to seven years, Queensland Police says

Currently telcos are required to retain data for 24 months

The Queensland Police Service says that there is a case for extending from 24 months to seven years the length that telcos need to retain ‘metadata’ to comply with Australia’s data retention regime.

The data retention regime is currently subject to statutory review by the Parliamentary Joint Committee on Intelligence and Security (PJCIS). In a submission to the committee’s inquiry, QPS states that in its view the current dataset that telcos must retain to comply with the data retention regime is appropriate.

That data (sometimes described by the government as ‘metadata’ or ‘historical telecommunications data’) covers a range of information about communications, but not the ‘contents’ of the communication (e.g. the words spoken during a call or the body of an email). It includes a range of subscriber and device details as well as the source, destination, timing and duration of a communication, and the location of equipment used for the communication.

QPS said that a review of its 2017-18 activity revealed that in less than 6 per cent of the times that it sought access to metadata, the data involved was over 24 months old.

On the vast majority of occasions the data sought was 0-3 months old, QPS said. However, “despite the relatively small number” of occasions where the data sought was more than 24 months old “they nevertheless form a vital part of some notable investigations in this State”.

“Datasets extending beyond the 2-year period can often be pivotal in certain complex investigations especially where persons of interest have exercised their right to silence, where court proceedings are significantly protracted or the offence is not actually detected by police until a significant period later,” QPS said, citing the investigation of the murder of Daniel Morcombe as an example.

The data retention regime does not restrict telcos from retaining data for longer than two years, and in many cases telcos retain certain datasets for longer for use in a range of business processes.

In its submission to the PJCIS inquiry on the bill that established data retention, intelligence agency ASIO noted that in some cases telcos retained subscriber information, call records, numbers associated with an SMS, and mobile handset and SIM data for up to seven years for their own purposes. Some telcos retained IP and email information for up to three years, ASIO said.

“Whilst the legislated datasets are considered to be appropriate, the QPS submits that there is a case for a more lengthier retention period, extending beyond the current 2-year period to 7 years,” the QPS submission to the current inquiry states.

“Without a mandated retention period of this duration, there is a real risk that this type of information will no longer be available once telecommunications carriers no longer have a business need.”

In its submission to the inquiry, the Department of Home Affairs argued for the two-year period to stay.

“The Home Affairs Portfolio notes that an increased retention period would further assist agencies with managing investigations,” the submission said. “However, when these considerations are weighed against changes in public attitudes towards privacy and the need for strong privacy protections, the most appropriate way forward would be to retain the existing scope the legislation.”­

The report of the PCJIS inquiry into the 2014 data retention bill endorsed a two-year retention period, arguing that the “effective conduct of serious national security and criminal investigations must be balanced against the degree to which a two-year retention period could interfere with the privacy, freedom of expression and other rights of ordinary Australians”.

However, it noted that a two-year retention period would “place Australia at the upper end of retention periods adopted in other jurisdictions.”

“Of the 35 Western countries identified as having implemented mandatory data retention obligations, only Italy, Ireland, Poland and South Africa require service providers to retain some or all telecommunications data for two years or more,” the report said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Telecommunicationsdata retentionQueensland policenational security

More about ASIOAustraliaHomeQPS

Show Comments