Although Attorney-General George Brandis is now forcing companies to retain all Australians' private metadata for warrantless access by government agencies, his office has argued it would be an "unreasonable interference" for metadata related to his job to be released under freedom of information law. Last year, before the mandatory data retention legislation passed into law, and before Brandis could even define what "metadata" was, I filed a freedom of information request for Brandis' metadata held by the office of the Attorney-General. The response from the office was to provide a redacted Telstra phone bill. Not happy with this response, Crikey sought a review with the Office of the Australian Information Commissioner -- incidentally the agency the government is still trying to shut down. Up until the end of last year the OAIC, operating in an environment where funding is limited while the government still can't pass legislation to shut down the office, was indicating the case could be sent to the Administrative Appeals Tribunal. This was based on a confidential submission made by the Attorney-General's chief of staff, Paul O'Sullivan, to the OAIC. Sending the case to the AAT would bring with it an application fee alone of over $800. After initially being unable to provide the letter, the OAIC has now agreed to release O'Sullivan's letter to Crikey. The letter admits that no one in the Attorney-General's office is "a trained specialist in telecommunications or information technology" but indicates that the request could cover Brandis' taxpayer-funded smartphone, as well as the computers he uses in Parliament, and offices in Sydney, Brisbane and Canberra. The final definition of metadata provided by the government in the letter is: dates, times, and duration of calls; IP addresses; email addresses; location details; and URLs "to the extent that they do not identify content of a communication". O'Sullivan admits in the letter that contrary to his initial response "some information" related to metadata might be stored on the devices operated by Brandis, but to search and retrieve the metadata "would constitute a substantial and unreasonable interference with the functions of the attorney-general". This is because Brandis himself would be required to log in to access his records, and his devices would need to be handed over for review. The letter states:
"Even if security and privacy concerns could be overcome, so that at least parts of the job could be delegated to others, it remains the case that the attorney-general's smartphone would need to be taken away from him, perhaps for a significant period of time. It is the AGO's view that processing the request in accordance with the OAIC's interpretation of [the FOI request] would hamper the performance of his official functions."
There would need to be a "substantial amount of consultation" with IT experts, and hours needed to redact the documents that would be handed over.
"Assuming (without agreeing) that the OAIC is right to suggest that the times, dates, recipients and senders of emails constitute telecommunications metadata ... the task of gathering emails and redacting irrelevant material would alone be very resource-intensive. No doubt thousands of documents would be involved."
Crikey is planning to continue with the review. In November last year, the AAT ruled against O'Sullivan's attempt to refuse on practical grounds a freedom of information request from shadow attorney-general Mark Dreyfus over access to Brandis' diary between September 18, 2013, and May 12, 2014. O'Sullivan argued that it would take between 228 and 630 hours to process the request, but the AAT found that a "weekly agenda" format in an Outlook document could be easily produced, showing just the time and date of meetings, who was invited to the meetings, and what the meetings were about. It was estimated this would cover approximately 1930 individual meeting items. The AAT has ordered the Attorney-General's Office to process Dreyfus' request. Last month, the government opened up its grants program to telecommunications companies to meet (some of) the costs for building systems to store customer data for two years as required by the mandatory data retention regime. As Crikey first revealed, it is $128.4 million in funding, not $131.3 million as outlined in the budget because the government is keeping close to $3 million for itself for "administrative costs".