Since October 12th, 2015 all the online communications done in Australia now is being tracked, monitored and stored for 2 years via a new law enforced. The so called Data Retention Bill. All this info is valid as of October 2015, you know…in the cloud, things change rapidly
The Data Retention Bill, also known as "Telecommunications (Interception and Access) Amendment" is a hot topic right now. And as in any new technology, a lot of misconception is around. Let’s talk a bit about it and how does it impact if you have data hosted with Microsoft Office 365.
I am not going into the merit of right or wrong, because I know you came here from a business perspective and with the question in mind “What can I do to make sure I am compliant?”. Also a good place to start is to have a look at my post about Cloud Data Governance.
Explaining the Australian Data Retention Law
To be quite frank, apparently the law has so many loop-holes that it is hard to explain, but the Australian Parliament website has a good summary its intentions which is to force Internet Service Providers to keep "Telecommunications Data" for 2 years, limiting the reach of agencies that are able to access this data and to provide record-keeping and reporting on the use and access of this data.
Important to note here that they are talking about generic, abstract data. Not necessarily content, which takes us to the next point
Quoting the back then Minister for Communications, and now Prime-Minister Malcolm Turnbull:
"The type of data referred to in the bill as telecommunications data, more often described as metadata, is information about a communication but not its content. So, in the telephone world, it reveals that one number belonging to a particular account was connected to another number at a time and for a duration, but does not reveal what they discussed. In the IP world it reveals that a particular IP address, which may have been observed to have been engaged in some unlawful activity, had been at the relevant time allocated to a particular account. In the context of messaging—email, for example—it reveals the sender, recipient, time and date, but again not the content. Access to content, I stress, requires a warrant."
In his explanation, on this telecommunications data monitoring, only source and destination endpoints that are tracked, not the content that is exchanged and any access to the exchange data would require a warrant. So, the government will know that for example Mr John Bloggs send a message to Mrs Jane Citizen on 13 October 2015 at 11:30 AM but the content of the conversation is not covered by the law.
2 Years Data Retention
All these communications will be retained for a period of 2 years. Data retention is expensive, very expensive. It is still a bit unclear how all this will be paid for and covered, what agreements will be in place, recovery and disaster strategy etc.
How Prepared are Australian Business?
apparently, not much. According to research ~90% of business are not. So much so that Telstra just revealed it needed another 18 months in order to become compliant. That’s a complicated matter, as you can see.
You Have No Reason to Worry
For us, law abiding citizens, I expect we have nothing to worry about. All this things are being tracked, monitored, collected and so on. The amount of data is ridiculous, gigantic, and it is very unlikely that the government will pinpoint someone and start monitoring the internet movements without a good reason. At the moment, there is not enough manpower, bandwidth and time for this. Clearly, these laws are targeting people with criminal intents, people in blacklists and persons of interest. For example, when a crime is committed and a person is identified, then the stored metadata about his/her communications can be used to clarify the root cause of their intentions.
I like compliance, structures and mostly, I like the identified needs to treat about data better. Some might say this is a bit overrated but at least they are this from a security mindset, which is a good thing. If you have nothing to hide, then there is no reason to be worried about it.
On Office 365
We know that now Office 365 has datacenters in Australia, this means that this data falls into the category of the Australian cyber laws initiatives. Luckily for you, Microsoft has a strong tradition of working closely with law makers and make sure that all data in the cloud is compliant and secure. Your data is still YOUR data..
Here are some of the controls in Office 365 that addresses the legislation and regulatory needs. In some cases, you can go through them and make sure they are aligned with the current legislation:
- Information Rights Management: to help prevent sensitive information being printed, transferred, manipulated by unauthorized people.
- Data Loss Prevention: Controls to identify, monitor and protect sensitive email communications and files
- Electronic Discovery: Manages and controls all electronic content required by legislation for a civil litigation or investigation. This is across SharePoint Online, Exchange Online, OneDrive for Business and file shares.
- Records Management: A set of controls to make sure the lifecycle of documents are compliant with your records management policies
- Information Management Policies: Make sure the information management processes and regulations are auditable and has proper retention policies.
- Transport Rules: Uses algorithms to discover specific conditions in communications that pass through your organization, and then takes action on them.
- Audit Log: Controls what changes are done, by who, when and how.
In short, if you are an Office 365 customer you can see that most of the controls needed to make sure your business is engaged with the Australian Data Retention laws are there already. However, this is only the technological part…the biggest challenges are on the business’ processes and procedures.