The TIO has started to receive a small number of complaints from consumers about difficulties accessing their metadata from their telco providers. Data retention obligations, which commenced on 13 October 2015, require telco providers to keep certain customer data (metadata) for at least two years. The obligations apply to licensed carriers, carriage service providers and internet service providers, irrespective of company size or customer base.
What is metadata?
Metadata is information about a communication: who sent and received the communication, when, for how long, from which location and how. Metadata does not include the content or substance of a communication.
The metadata stored for phone calls may include the:
- phone numbers called or messaged using SMS
- date, time and duration of calls and SMS
- unique IMEI (International Mobile Equipment Identity) number of the device used, and
- location of the nearest cell tower when a call or SMS was sent or received.
The metadata stored for internet activity may include the:
- time, date, size, sender and recipients of emails
- time and duration of web connections
- volume of uploads and downloads, and
- location and geographical data (eg location of a Wi-Fi hotspot).
Telcos do not have to store metadata relating to a range of apps, including over-the-top communication services such as iMessage, WhatsApp and Snapchat. The full data set included in the laws can be found in section 187AA of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015.
Who can access metadata?
There are a number of approved agencies which can access metadata. A provider does not have to tell a consumer if their metadata has been provided to an approved agency.
Metadata can help law enforcement agencies and other approved organisations investigate crimes and it is commonly used in serious criminal or national security investigations.
How we deal with complaints
The TIO cannot look into a complaint about a provider disclosing metadata to an approved enforcement agency. These complaints should be reported to the Office of the Australian Information Commissioner (OAIC).
However, the TIO can consider other complaints to do with metadata. Under Australian privacy law, certain corporate and government entities must provide personal information they hold about individuals when requested. Consumers have made complaints to the TIO about requests for metadata not being actioned, as well as complaints about receiving unclear advice about how metadata can be obtained.
For more information on data retention, visit the Attorney-General's Department website.
- Data retention - Frequently Asked Questions for Industry
- New data retention obligations for providers