Should Aussie organisations be collecting metadata?
UXC Consulting is calling on Australian organisations to take a close look at its position regarding metadata, following the recently-enacted amendment to the Telecommunications Act.
The amendment requires telecommunications providers to retain details of online communications and mobile/landline calls made by Australians from within Australia through the call metadata.
"The Telecommunications Act – Data Retention Amendment came into force in mid-October 2015. However, organisations required to retain data can seek approval to progressively implement the necessary infrastructure and procedures, provided that they will be compliant by April 2017," says Iain Stevenson, principal consultant with UXC Consulting.
"Many organisations whose core business is not the provision of telecommunications, including the hospitality, education, healthcare, and local government sectors also potentially fall under this legislation," he says.
"While deadlines for preparing and submitting an implementation plan, or seeking an exemption or variation to your obligations, have now passed, it's safe to assume that not every organisation that needed to meet this requirement actually achieved it," Stevenson adds.
According to Stevenson, retaining metadata can be quite onerous for organisations as the metadata itself has to be collected, encrypted, and stored securely for two years.
He says this can become expensive in terms of the necessary tools and data storage as well as the additional ICT processes, compliance oversight, and reporting required.
"If your organisation is providing telecommunications services on your own network equipment to people outside of your immediate business circle, then it is likely that you must now have a plan for retaining the resultant metadata," he explains.
Four examples of organisations that fall under the new provisions are:
* A hospital provides Wi-Fi internet services using its own Wireless Access Points (WAPs) to patients and visitors, and its tenants (a flower shop, newsagent, and pharmacy). All have telephone extensions through the hospital switchboard. These may all create the need for metadata retention.
* A university offers its students a life-long university email address as well as providing on-campus Wi-Fi and internet services to all campus visitors. Staff and current students are considered part of the university's immediate circle and do not create any data retention obligations. However, alumni (past students), conference visitors, and (potentially) visiting lecturers are not, and the university may subsequently find that it needs to collect metadata for all users.
* A chain of coffee shops or hotels provides Wi-Fi Internet services and perhaps an internet terminal or two for its patrons. If the organisation owns and operates the Wi-Fi equipment, certain data must be retained despite the fact that the underlying internet access is provided by their ISP.
* A conference centre operates its own online collaboration services for use by conference attendees. The metadata associated with these 'internet over-the-top' services must also be retained.
Organisations need to examine whether they offer some form of internet access to visitors or the general public using their own network equipment, or operate internet collaboration applications available to those outside their immediate business circle," says Stevenson.
"If so, they may be obliged to collect, encrypt, and retain the associated metadata for two years, and make it available to government authorities on request," he explains.
"The implications of the Data Retention Amendment are often not immediately clear, and the legislation must be read within the context of specific technical and business circumstances to understand exactly how it applies to individual organisations," Stevenson says.
"Therefore, it is important that organisations seek proper legal advice to ensure they are meeting the requirements.