Should organisations be collecting metadata?


TJ11054_UXC_Rebrand_Logos_c2_1bThe recently-enacted Amendment to the Telecommunications Act requires telecommunications providers to retain details of online communications and mobile/landline calls made by Australians from within Australia through the call metadata. As a result, every organisation should examine its position regarding metadata.

Iain Stevenson, Principal Consultant with UXC Consulting, said, “The Telecommunications Act – Data Retention Amendment came into force in mid-October 2015. However, organisations required to retain data can seek approval to progressively implement the necessary infrastructure and procedures, provided that they will be compliant by April 2017.

“Many organisations whose core business is not the provision of telecommunications, including the hospitality, education, healthcare, and local government sectors also potentially fall under this legislation.

“While deadlines for preparing and submitting an implementation plan, or seeking an exemption or variation to your obligations, have now passed, it’s safe to assume that not every organisation that needed to meet this requirement actually achieved it.”

Retaining metadata can be quite onerous for organisations as the metadata itself has to be collected, encrypted, and stored securely for two years. This can become expensive in terms of the necessary tools and data storage as well as the additional ICT processes, compliance oversight, and reporting required.

Iain Stevenson said, “If your organisation is providing telecommunications services on your own network equipment to people outside of your immediate business circle, then it is likely that you must now have a plan for retaining the resultant metadata.”

Four examples of organisations that fall under the new provisions are:

* A hospital provides Wi-Fi internet services using its own Wireless Access Points (WAPs) to patients and visitors, and its tenants (a flower shop, newsagent, and pharmacy). All have telephone extensions through the hospital switchboard. These may all create the need for metadata retention.

* A university offers its students a life-long university email address as well as providing on-campus Wi-Fi and internet services to all campus visitors. Staff and current students are considered part of the university’s immediate circle and do not create any data retention obligations. However, alumni (past students), conference visitors, and (potentially) visiting lecturers are not, and the university may subsequently find that it needs to collect metadata for all users.

* A chain of coffee shops or hotels provides Wi-Fi Internet services and perhaps an internet terminal or two for its patrons. If the organisation owns and operates the Wi-Fi equipment, certain data must be retained despite the fact that the underlying internet access is provided by their ISP.

* A conference centre operates its own online collaboration services for use by conference attendees. The metadata associated with these ‘internet over-the-top’ services must also be retained.

Iain Stevenson said, “Organisations need to examine whether they offer some form of internet access to visitors or the general public using their own network equipment, or operate internet collaboration applications available to those outside their immediate business circle. If so, they may be obliged to collect, encrypt, and retain the associated metadata for two years, and make it available to government authorities on request.

“The implications of the Data Retention Amendment are often not immediately clear, and the legislation must be read within the context of specific technical and business circumstances to understand exactly how it applies to individual organisations. Therefore, it is important that organisations seek proper legal advice to ensure they are meeting the requirements.”

About UXC Consulting
UXC Consulting works closely with Australia’s tier-one organisations to provide IT intelligence that transforms existing ICT service capabilities into a strategic business asset. We deliver deep domain expertise across seven service pillars: Strategy & Architecture; Business Analysis; Business Transformation; IT Service Management; Communications; Project, Portfolio & Programme Management; and Information & Cyber Security.

Setting the benchmark for industry thought leadership UXC Consulting provides deep, specialised intelligence regarding IT game-changers including cloud computing, BYO Computing and mobility.

UXC Consulting has a commanding presence in the Australian market, with more than 250 employees across the region, servicing in excess of 400 clients, with more than 200 accreditations and certifications across the company’s six practice areas.

UXC Consulting is part of UXC Limited, the largest Australian-owned provider of ICT consulting services.