Story image

Should Aussie organisations be collecting metadata?

25 Feb 16

UXC Consulting is calling on Australian organisations to take a close look at its position regarding metadata, following the recently-enacted amendment to the Telecommunications Act.

The amendment requires telecommunications providers to retain details of online communications and mobile/landline calls made by Australians from within Australia through the call metadata.

“The Telecommunications Act – Data Retention Amendment came into force in mid-October 2015. However, organisations required to retain data can seek approval to progressively implement the necessary infrastructure and procedures, provided that they will be compliant by April 2017,” says Iain Stevenson, principal consultant with UXC Consulting.  

“Many organisations whose core business is not the provision of telecommunications, including the hospitality, education, healthcare, and local government sectors also potentially fall under this legislation,” he says.

“While deadlines for preparing and submitting an implementation plan, or seeking an exemption or variation to your obligations, have now passed, it’s safe to assume that not every organisation that needed to meet this requirement actually achieved it,” Stevenson adds.

According to Stevenson, retaining metadata can be quite onerous for organisations as the metadata itself has to be collected, encrypted, and stored securely for two years.

He says this can become expensive in terms of the necessary tools and data storage as well as the additional ICT processes, compliance oversight, and reporting required.

“If your organisation is providing telecommunications services on your own network equipment to people outside of your immediate business circle, then it is likely that you must now have a plan for retaining the resultant metadata,” he explains.

Four examples of organisations that fall under the new provisions are:

* A hospital provides Wi-Fi internet services using its own Wireless Access Points (WAPs) to patients and visitors, and its tenants (a flower shop, newsagent, and pharmacy). All have telephone extensions through the hospital switchboard. These may all create the need for metadata retention.

* A university offers its students a life-long university email address as well as providing on-campus Wi-Fi and internet services to all campus visitors. Staff and current students are considered part of the university’s immediate circle and do not create any data retention obligations. However, alumni (past students), conference visitors, and (potentially) visiting lecturers are not, and the university may subsequently find that it needs to collect metadata for all users.

* A chain of coffee shops or hotels provides Wi-Fi Internet services and perhaps an internet terminal or two for its patrons. If the organisation owns and operates the Wi-Fi equipment, certain data must be retained despite the fact that the underlying internet access is provided by their ISP.

* A conference centre operates its own online collaboration services for use by conference attendees. The metadata associated with these ‘internet over-the-top’ services must also be retained.

Organisations need to examine whether they offer some form of internet access to visitors or the general public using their own network equipment, or operate internet collaboration applications available to those outside their immediate business circle,” says Stevenson.

“If so, they may be obliged to collect, encrypt, and retain the associated metadata for two years, and make it available to government authorities on request,” he explains.

“The implications of the Data Retention Amendment are often not immediately clear, and the legislation must be read within the context of specific technical and business circumstances to understand exactly how it applies to individual organisations,” Stevenson says.

“Therefore, it is important that organisations seek proper legal advice to ensure they are meeting the requirements.”

WatchGuard’s eight (terrifying) 2019 security predictions
The next evolution of ransomware, escalating nation-state attacks, biometric hacking, Wi-Fi protocol security, and Die Hard fiction becomes reality.
Why the adoption of SAP is growing among SMEs
Small and medium scale enterprises are emerging as lucrative end users for SAP.
Exclusive: How the separation of Amazon and AWS could affect the cloud market
"Amazon Web Services is one of the rare companies that can be a market leader but remain ruthlessly innovative and agile."
HPE extends cloud-based AI tool InfoSight to servers
HPE asserts it is a big deal as the system can drive down operating costs, plug disruptive performance gaps, and free up time to allow IT staff to innovate.
Digital Realty opens new AU data centre – and announces another one
On the day that Digital Realty cut the ribbon for its new Sydney data centre, it revealed that it will soon begin developing another one.
A roadmap to AI project success
Five keys preparation tasks, and eight implementation elements to keep in mind when developing and implementing an AI service.
The future of privacy: What comes after VPNs?
"75% of VPN users said they are seeking a better solution for cloud networks."
'Public cloud is not a panacea' - 91% of IT leaders want hybrid
Nutanix research suggests cloud interoperability and app mobility outrank cost and security for primary hybrid cloud benefits.