Frequently asked questions: Telecommunications (Interception and Access) Act 1979 (Cth)
QGCIO
Frequently asked questions: Telecommunications (Interception and Access) Act 1979 (Cth)
ENDORSED
April 2007
1.1.0
UNCLASSIFIED
Frequently asked questions: Telecommunications (Interception and Access) Act 1979 (Cth)
QGCIO
Document details
Security classification / UNCLASSIFIEDDate of review of security classification / April 2007
Authority / QGCIO
Author / Queensland Government Chief Information Office (Enterprise Architecture & Strategy), Crown Law
Documentation status / Working draft / Consultation release / þ / Final version
Contact for enquiries and proposed changes
All enquiries regarding this document should be directed in the first instance to:
Director, Enterprise Architecture and Strategy
Queensland Government Chief Information Office
Copyright
Frequently asked questions: Telecommunications (Interception and Access) Act 1979 (Cth)
Copyright © The State of Queensland (Department of Public Works) 2009
Licence
Frequently asked questions: Telecommunications (Interception and Access) Act 1979 (Cth) by QGCIO and Crown Law is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 Australia License. Permissions may be available beyond the scope of this licence. See www.qgcio.qld.gov.au.
Information security
This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as UNCLASSIFIED and will be managed according to the requirements of the QGISCF.
Contents
1 Introduction 4
2 Questions 4
2.1 What if we don’t monitor at all? 4
2.2 Inappropriate content 4
2.3 Employee withholds authorisation 5
2.4 Blocking emails 5
2.5 Copying before delivery 6
2.6 Backup 6
2.7 Spam and security threats 6
2.8 Knowledge of sender 9
2.9 Without the knowledge of sender 9
2.10 Emails from government addresses 9
2.11 Forwarding emails 9
2.12 Non-user specific email addresses 10
2.13 Employees on leave 10
2.14 Employees who have left agency 10
2.15 Who should review emails? 11
2.16 Who should review emails of absent employees? 11
2.17 Identifying reviewers 11
2.18 Preventing loss of records 11
2.19 Retrieval after termination 12
2.20 Compliant to CMC 12
2.21 Email storage for ex-employees 12
2.22 Liability 12
2.23 Web based email 13
2.24 Smart phones/PDAs 13
2.25 Telephone monitoring 13
ENDORSED 1.1.0, April 2007
Page 15 of 15
UNCLASSIFIED
UNCLASSIFIED
Frequently asked questions: Telecommunications (Interception and Access) Act 1979 (Cth)
QGCIO
1 Introduction
At this point in time the Federal Senate has recognised that there are a number of issues which remain unclear in the revised Telecommunications (Interception and Access) Act 1979 (TIA Act) with policy determinations yet to be made before it is amended further. The information contained in this document has been extracted from a Crown Law Q & A presentation session in April 2007.
This FAQ Sheet and the accompanying email monitoring fact sheet are intended to provide an indication of the comparative levels of risks associate with different monitoring practices and identify some practices that may represent reasonably safe compromises between legal risk and operational necessity. However, agencies should pay close attention to the provisions of the TIA Act and obtain legal advice where necessary in formulating and updating their monitoring practices. The contents of this document do not constitute legal advice and should not be relied on as specific advice. The applicability of the information in this document may vary significantly depending on the particular configuration of an agency’s ICT network and its monitoring practices.
2 Questions
2.1 What if we don’t monitor at all?
Question
What are the consequences of not monitoring (copying) emails at all? Is there a statutory obligation on agencies to monitor for inappropriate or unauthorised material?
Response
There is no specific, express statutory obligation to monitor emails. However, it is conceivable that legal consequences might arise if emails are not monitored. For example, a claim might be brought for negligence or contravention of the Workplace Health and Safety Act 1995 if someone suffers a mental injury due to exposure to disturbing content. Deleting emails should also be considered in light of an agency’s obligations under the Public Records Act 2002. However, in most circumstances none of these factors will provide legal justification for breaching the TIA Act.
2.2 Inappropriate content
Question
Our agency currently scans emails for inappropriate content (the scanning is an automatic process). Does this count as accessing the email prior to the addressee?
Response
Automatic scanning of email for inappropriate content raises difficult issues as many scanning applications involve copying of an email, even if the copy is only for the purposes of the automatic scanning and is immediately deleted. Whether or not such scanning is the same as ‘copying’ in the sense of the TIA Act is difficult to say as a matter of law, although reasonably strong arguments can be made that it is not. If automated scanning for inappropriate content (as opposed to scanning for maintenance purposes) is to be implemented prior to the email becoming accessible to the addressee and without the knowledge of the sender, then it is necessary to rely on this interpretation.
Where scanning is conducted for the purpose of detecting security threats and Spam, exceptions may apply: see Part 2.7 of this document.
Question
Assuming that the TIA Act does permit automatic scanning of email for inappropriate content, then what if our agency's automatic scanning process identifies inappropriate content, and quarantines suspect emails for viewing by agency staff prior to delivery to the addressee?
Response
Quarantining and viewing by agency staff is likely to involve copying in the TIA Act sense. At the very least, a copy will appear on the viewer's screen and additional electronic copies will probably be cached. The email monitoring fact sheet outlines possible methods of dealing with these issues in sections 4.2 and 4.3. These processes can involve notifying the addressee of the email and providing them with options for release or deletion of email.
Again, where scanning is conducted for the purpose of detecting security threats and Spam, exceptions may apply: See Part 2.7 of this document.
2.3 Employee withholds authorisation
Question
If an agency blocks an email and then forwards an email to the employee seeking their advice as to what they wish to be done with the email – a) deleted or b) manually reviewed by an authorised person – what does the agency do if the addressee responds that they do not authorise either of these options?
Response
This approach is similar to Option 2 (Deletion or Manual Review) in the email monitoring fact sheet. If this approach is taken, the email to the employee should provide for automatic deletion after a set number of days by default. The TIA Act does not give employees a right to actually receive emails, and the employer may delete emails at any time. All emails should be treated on a case by case basis if circumstances are particularly sensitive.
2.4 Blocking emails
Question
Where automated email filtering software is used to scan and block messages containing unauthorised content, is it reasonable for agencies to modify the automated advice that is sent to employees whose messages have been blocked to state that by requesting the release of the message, the employee is providing consent for the content of the message to be manually viewed prior to the message being made accessible to them? I.e. No consent, no delivery?
Response
The prohibition in the TIA Act is concerned with the sender’s knowledge that an email will be copied. The consent of the addressee to manual viewing is therefore not enough by itself. However, once the addressee has some control over the email, the email may be considered to be 'accessible' and therefore no longer covered by the TIA Act, which then means the addressee can consent to others viewing it. Section 4.3 of the email monitoring fact sheet outlines processes that may give the addressee enough control over the email to meet this requirement, provided for example that the addressee has alternative rights such as allowing the email to be deleted without manual viewing. The approach suggested in the question is similar to Option 2 (Deletion or Manual Review) in the email monitoring fact sheet.
2.5 Copying before delivery
Question
Is it within the spirit of the legislation to copy “suspect” emails before they are actually delivered knowing that they will be delivered? It is a matter of the timing and we are only talking seconds at most - Copied emails are not reviewed prior to them being delivered. (There will be additional costs if suspect emails can only be copied after actual delivery to the addressee’s mail box).
Response
Email may be copied once it is delivered to the addressee’s mailbox on the mail server and is available for downloading by the addressee. It need not have been delivered to the addressee’s PC or read by the addressee. Timing may be an issue even if a separate copy is taken a split second before it arrives in the employees’ mail box on the mail server.
2.6 Backup
Question
Our agency quarantines suspect emails and sends a notification message to the addressees inviting them to request release. The quarantined emails are stored each night by backup. Is this allowable?
Response
If Option 1 (Self Release) in the email monitoring fact sheet is implemented, then the email may be backed up (assuming that Option 1 is itself legal). If Option 2 (Deletion or Manual Review), it would be safest under the TIA Act not to include these emails in backup.
An argument might be made that backup falls within the maintenance exception as it is something required to effectively perform duties concerning the maintenance of equipment. However, the legal strength of this argument has not been tested.
2.7 Spam and security threats
Question
Our agency currently scans emails for Spam and security threats such as viruses (the scanning is an automatic process). Does this count as accessing the email prior to the addressee?
Response
The responses in Part 2.2 above cover the possibility that automatic scanning of emails for certain content may be unlawful. However, it is possible that scanning for Spam and security threats may be lawful under the TIA Act exception for maintenance activities - a person may record or copy an email where it is reasonably necessary for the person to intercept the communication in order to effectively perform duties concerning the maintenance of equipment or a line. This might cover filtering to prevent damage from viruses, or to prevent network flooding by Spam. It may also be lawful for some emails that contain or are reasonably suspected to contain security threats or Spam to be viewed by humans and dealt with in other ways, as persons who deliberately send such emails must be aware that they will often be intercepted.
If the agency is not satisfied that the maintenance exception applies, then the agency needs to consider the same issues as apply in relation to scanning for inappropriate content.
Question
If quarantining/blocking on a server during the delivery of email is deemed not allowable, can suspected Spam be automatically tagged/annotated once the email has arrived in the addressee’s mailbox?
Response
Yes. Once the email has arrived in the addressee's mailbox, it is accessible to the addressee and the TIA Act no longer applies to limit scanning or copying. .
Question
Is it then allowable to search for the tag/annotation and the returned results to be deleted?
Response
Yes. Once it’s in the mailbox, scanning and copying is no longer an issue.
Question
My agency uses an electronic scanning application that identifies emails that are highly likely to be Spam and deletes them without notifying the addressee. Is this acceptable under the Act?
Response
If the scanning itself is permitted under the maintenance exception, then deletion is no problem under the TIA Act. Deletion is in fact preferable to keeping a copy.
Question
Currently, samples are taken of Spam that employees have received and authorised officers create blocking rules preventing this type of Spam through in the future. Will this activity be an acceptable practice under the TIA Act?
Response
Sample taking from email in an employee's mailbox on the mail server is fine as it is already accessible to the addressee. If the email is not yet accessible, sample taking may be acceptable if copying the Spam falls within the maintenance exception.
Question
Can “real” Spam (vendor determined with a high confidence level of accuracy) be treated the same as a virus ( “automatically” determined by vendor metrics, captured and deleted immediately or after a quarantine period)?
Response
As above, the agency needs to be satisfied that the scanning and quarantining for this type of Spam control falls within the maintenance exception.
Question
Over the past year, many of the Phishing attacks encountered have been via Australian bank addresses, for example: anz.com or anz.com.au, suncorp.com.au and so on. In order to ensure that these attacks are not transferred through to the users (generally 1,000 e-mails received per attack), these addresses (all bank domains from which an attack has come) are quarantined and reviewed prior to releasing/actioning. In the above case, does reviewing the individual e-mail before actioning contravene the Act as currently written?
Response
As above, the agency needs to be satisfied that the scanning and quarantining for this type of Spam control falls within the maintenance exception. Even if the maintenance exception does not apply, however, it will also most likely be lawful to deal with email coming from known fraudulent domains such as these as senders such as these know that the email will often be scanned.
Question
Notwithstanding difficulties of the agency in regards to Spam how are third party Spam filtering services to react to this requirement? Does agency use of a Spam service effectively ‘authorize, suffer or permit another person to intercept a communication’?
Response
As above, the agency needs to be satisfied that the need for the scanning falls within the maintenance exception.
Question
In our organisation, received emails detected as Spam are marked in one of two ways: “Blatant” Spam, which is deleted or “Likely” Spam which is placed in a quarantine area. Quarantined emails are kept for a fixed period of time and then automatically deleted, the user is not notified of emails that have been quarantined. The messages in the quarantine folders are not accessed by any other staff members. The volume of email placed into quarantine depends on various factors, but in different parts of the organisation we see up to 15% of received email being put into quarantine. It would be inconvenient and burdensome to the users to notify them of each particular email that is quarantined. It would be equivalent to allowing the Spam to be delivered in the first place. Deleting these emails immediately isn't an option as users occasionally make requests regarding an email they believe they should have received but didn't. They are subsequently given access to their quarantine folder, where they may find a legitimate email which they can clear from quarantine. If a user doesn't request access to their quarantine folder it isn't provided to them. Once they have requested access initially, it is available for them to access directly at any time in the future. It is done this way to avoid confusion for the majority of users who will never need access to their quarantine folder. Do we need to notify the users about these quarantined messages at all?