The Department of Home Affairs says it would take "considerable time and resources" for it to determine how many agencies across Australia's three tiers of government have accessed metadata held under the nation's data retention laws.
Responding to Questions on Notice, Home Affairs pointed out another of the loopholes that gives agencies, not on the list of 21 enforcement agencies, the ability to access metadata.
"Section 280(1)(b) of the Telecommunications Act 1997 creates an exemption to the general prohibition against the disclosure of metadata for Commonwealth, state, or territory entities that are not enforcement agencies," Home Affairs said.
"The authorities that can utilise this exemption are not specified."
Agencies that have the power to order the disclosure of information could force the issue with a court order or notice to produce powers, the department said.
As ZDNet reported nearly three years ago, 61 agencies that previously had access to metadata looked to be added as declared enforcement agencies, which would give them warrantless access.
In June 2017, it was revealed the Attorney-General's Department (AGD) had been advising agencies and departments to attempt to access metadata through other means.
"On advice from the Attorney-General's Department, the department has considered other methods of obtaining metadata using statutory coercive powers under portfolio legislation, and by engaging the Australian Federal Police (AFP) to obtain metadata," the Department of Agriculture and Water Resources wrote a letter dated June 10, 2016, and published on RightToKnow.
"The department has received preliminary legal advice as to the merits of using coercive powers, which suggests that the approach is problematic due to the construction of portfolio legislation.
"Advice received from the AFP indicates that it does not have the resourcing, compliance, or risk considerations to obtain metadata on behalf of other agencies, including the department."
Last month, the Communications Alliance detailed a list of agencies that tried to access telco metadata following the introduction of Australia's metadata retention regime.
The industry group pointed out that a request for metadata does not mean data was disclosed. It was not possible to accurately compile how many requests and disclosures were made.
"We have seen, for example, one carrier that made 132 disclosures in response to 114 requests over a 12-month period, while some other carriers have experienced smaller volumes over similar periods," it said.
Free PDF: Australia's encryption laws: An insider's guide
"Determining volumes is further complicated by the fact that while responses to some requests are derived from the mandatory data retention store, some requests can also be met by interrogating business systems or databases that hold similar or identical information for commercial use."
The list contained four local councils, Centrelink, and the Victorian Institute of Teaching.
Comms Alliance added that its list might not be complete.
In March 2017, AGD said it had no issue with the ability of government agencies to make demands on telco data outside of the scope of Australia's data retention laws.
"There have long been provisions in the Telecommunications Act 1997 allowing records, including telecommunications data, to be disclosed where required or authorised by law," a spokesperson for AGD told ZDNet at the time.
"These powers are distinct from the data retention regime set out under the Telecommunications (Interception and Access) Act 1979."
In its response to ZDNet, AGD did not say it would look to prevent agencies from accessing metadata by other means.
Australia's data retention regime came into being after it was supported by both major parties in Parliament.
Speaking in June 2016, then Shadow Communications Minister Jason Clare said Labor helped "fix" the government's data retention legislation.
"The changes we forced the government to make mean tighter rules, and for the first time real oversight over the use and misuse of this data," Clare said.
Source: zdnet.com, 21 Dec 2018