Office 365 and the Australian Data Retention Laws

Since October 12th, 2015 all the online communications done in Australia now is being tracked, monitored and stored for 2 years via a new law enforced. The so called Data Retention Bill. All this info is valid as of October 2015, you know…in the cloud, things change rapidly Smile


The Data Retention Bill, also known as "Telecommunications (Interception and Access) Amendment" is a hot topic right now. And as in any new technology, a lot of misconception is around. Let’s talk a bit about it and how does it impact if you have data hosted with Microsoft Office 365.

I am not going into the merit of right or wrong, because I know you came here from a business perspective and with the question in mind “What can I do to make sure I am compliant?”. Also a good place to start is to have a look at my post about Cloud Data Governance.

Explaining the Australian Data Retention Law

To be quite frank, apparently the law has so many loop-holes that it is hard to explain, but the Australian Parliament website has a good summary its intentions which is to force Internet Service Providers to keep "Telecommunications Data" for 2 years, limiting the reach of agencies that are able to access this data and to provide record-keeping and reporting on the use and access of this data.

Important to note here that they are talking about generic, abstract data. Not necessarily content, which takes us to the next point

The Metadata

Quoting the back then Minister for Communications, and now Prime-Minister Malcolm Turnbull:
"The type of data referred to in the bill as telecommunications data, more often described as metadata, is information about a communication but not its content. So, in the telephone world, it reveals that one number belonging to a particular account was connected to another number at a time and for a duration, but does not reveal what they discussed. In the IP world it reveals that a particular IP address, which may have been observed to have been engaged in some unlawful activity, had been at the relevant time allocated to a particular account. In the context of messaging—email, for example—it reveals the sender, recipient, time and date, but again not the content. Access to content, I stress, requires a warrant."

In his explanation, on this telecommunications data monitoring, only source and destination endpoints that are tracked, not the content that is exchanged and any access to the exchange data would require a warrant.  So, the government will know that for example Mr John Bloggs send a message to Mrs Jane Citizen on 13 October 2015 at 11:30 AM but the content of the conversation is not covered by the law.

2 Years Data Retention

All these communications will be retained for a period of 2 years. Data retention is expensive, very expensive. It is still a bit unclear how all this will be paid for and covered, what agreements will be in place, recovery and disaster strategy etc.

How Prepared are Australian Business?

apparently, not much. According to research ~90% of business are not. So much so that Telstra just revealed it needed another 18 months in order to become compliant. That’s a complicated matter, as you can see.


You Have No Reason to Worry

For us, law abiding citizens, I expect we have nothing to worry about. All this things are being tracked, monitored, collected and so on. The amount of data is ridiculous, gigantic, and it is very unlikely that the government will pinpoint someone and start monitoring the internet movements without a good reason. At the moment, there is not enough manpower, bandwidth and time for this. Clearly, these laws are targeting people with criminal intents, people in blacklists and persons of interest. For example, when a crime is committed and a person is identified, then the stored metadata about his/her communications can be used to clarify the root cause of their intentions.

I like compliance, structures and mostly, I like the identified needs to treat about data better. Some might say this is a bit overrated but at least they are this from a security mindset, which is a good thing. If you have nothing to hide, then there is no reason to be worried about it.

On Office 365

We know that now Office 365 has datacenters in Australia, this means that this data falls into the category of the Australian cyber laws initiatives. Luckily for you, Microsoft has a strong tradition of working closely with law makers and make sure that all data in the cloud is compliant and secure. Your data is still YOUR data..

Here are some of the controls in Office 365 that addresses the legislation and regulatory needs. In some cases, you can go through them and make sure they are aligned with the current legislation:

In short, if you are an Office 365 customer you can see that most of the controls needed to make sure your business is engaged with the Australian Data Retention laws are there already. However, this is only the technological part…the biggest challenges are on the business’ processes and procedures.