Click here and type GUIDELINE/QGEA STANDARD title€¦ · Web viewHowever, if you want to...

Queensland Government Chief Information Office

QGEA

Document detailsSecurity classification PUBLIC

Date of review of security classification

July 2012

Authority Queensland Government Chief Information Officer

Author Queensland Government Chief Information Office in consultation with Crown Law

Documentation status Working draft Consultation release Final version

Contact for enquiries and proposed changesAll enquiries regarding this document should be directed in the first instance to:

Queensland Government Chief Information [email protected]

AcknowledgementsThis version of the Email monitoring and the Telecommunications (Interception and Access) Act guideline was developed by the Queensland Government Chief Information Office, in consultation with Crown Law.

CopyrightEmail monitoring and the Telecommunications (Interception and Access) Act guideline

Copyright © The State of Queensland (Queensland Government Chief Information Office)

2012

Licence

Email monitoring and the Telecommunications (Interception and Access) Act guideline by the Queensland Government Chief Information Office is licensed under a Creative Commons Attribution 3.0 Australia licence. To view the terms of this licence, visit

Email monitoring and the Telecommunications (Interception and Access) Act guidelineFinal

July 2012

v1.0.0

PUBLIC

Final v1.0.0, July 2012 of 30PUBLIC

PUBLICEmail monitoring and the Telecommunications (Interception and Access) Act guideline

mailto:[email protected]

http://creativecommons.org/licenses/by-nc-nd/3.0/

QGEA

http://creativecommons.org/licenses/by-nc-nd/3.0/. For permissions beyond the scope of this licence, contact [email protected].

To attribute this material, cite the Queensland Government Chief Information Office.

Information securityThis document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.



mailto:[email protected]

http://creativecommons.org/licenses/by-nc-nd/3.0/

QGEA

Contents1 Introduction....................................................................................................................5

1.1 Purpose..................................................................................................................51.2 Audience.................................................................................................................51.3 QGEA domains.......................................................................................................5

2 Background....................................................................................................................62.1 Legal risk assessment............................................................................................62.2 Safe versus reasonably safe..................................................................................72.3 Other issues...........................................................................................................7

3 Applying the TIA Act......................................................................................................73.1 Automated scanning of emails...............................................................................83.2 Dealing with emails after automated scanning.......................................................83.3 Quarantining emails................................................................................................93.4 Dealing with quarantined emails..........................................................................103.5 Dealing with emails in the course of performing network protection duties..........113.6 Spam....................................................................................................................123.7 Absent employees................................................................................................12

4 Application of the TIA Act to typical monitoring activities......................................134.1 Email drafted by sender but not sent....................................................................134.2 Email transmitted or sent by the sender...............................................................134.3 Email passes the gateway into the department’s ICT system..............................13

5 TIA Act FAQs................................................................................................................14

Appendix A Definitions and terms for interpreting the TIA Act.....................................25

Appendix B Possible treatment of incoming email under the TIA Act.................................29



QGEA

1 Introduction1.1 Purpose

This guideline provides information and advice for Queensland Government departments to consider when addressing issues surrounding monitoring employee email, as part of the Use of ICT facilities and devices policy (IS38). These guidelines do not form the mandatory component of IS38, departments need to interpret it in the context of their own department.

The contents of this document do not constitute legal advice and should not be relied on as specific advice. The applicability of the information in this document may vary significantly depending on the particular configuration of a department’s ICT network and its monitoring practices. However, they are a result of Crown Law advice, and as such departments are strongly encouraged to read and refer to the information contained within this guideline. Departments are strongly recommended to obtain legal advice in light of any uncertainties.

Definitions relating to this guideline are located at Appendix A.

1.2 AudienceThis document is primarily intended for: chief executive officers(CEOs)/other senior officers who authorise how departmental

ICT facilities and devices may be used human resource professionals information management/ICT policy staff.

1.3 QGEA domains This guideline relates to the following domains:

Classification framework Domain

Business process BP-2.4 Develop organisational regulationBP-8 Develop and manage human resourcesBP-9 Manage information and technology resources



http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/qgea2.0/frameworks/Pages/index.aspx

http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/Use%20of%20ICT%20facilities%20and%20devices.aspx

http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/Use%20of%20ICT%20facilities%20and%20devices.aspx

QGEA

2 BackgroundBefore 2004, the Telecommunications (Interception) Act 1979 prohibited the interception of all communications (including emails) passing over a telecommunications system without the knowledge of the sender of the communication (except by a law enforcement agency under warrant). In summary the Telecommunications (Interception) Act 1979: was originally made to regulate telephone calls, i.e. circuit switched communications

conducted in real time primarily focuses on the interception powers of law enforcement agencies attempts to tread the line between the Federal Government constitutional power over

telecommunications and the states’ powers, e.g. over seizure of physical computer equipment

is aimed at protecting the privacy of the sender of a communication – the consent of the recipient is not enough to make interception lawful.

Briefly, between 2004 and 2006, amendments to the Telecommunications (Interception) Act 1979 had the effect of permitting an employer to view or copy any emails stored on its ICT systems (known as ‘stored communications’) regardless of whether the sender knew this would occur or the addressee had received the email, provided that these actions did not contravene any other law e.g. privacy.

This period ended with the commencement of new amendments to the Act on 13 June 2006. Also as a result of these amendments, the Telecommunications (Interception) Act 1979 is now known as the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act).

The federal government recognised that there were a number of issues which remained unclear in the revised TIA Act, with policy determinations about network administration yet to be made before the Act was amended further. In 2010, after a very brief consultation period, the Telecommunications (Interception and Access) Amendment Act 2010 was passed. It introduced into the TIA specific provisions permitting dealing with electronic communications for the purposes of performing ‘network protection duties’.

This guideline outlines the scope of the network protection duties exception and processes for monitoring emails. It also provides guidance on the levels of legal risk associated with these processes given the uncertainties in the Act. The definitions located at Appendix A should be considered when developing departmental monitoring processes.

The ICT Policy and Coordination Office will continue to liaise with Crown Law and monitor this issue and advise departments of progress.

2.1 Legal risk assessmentCrown Law has advised that, despite the introduction of the network protection duties exception, there are still aspects of the TIA Act that are ambiguous. Crown Law consulted with the Federal Attorney-General’s Department in the course of advising on the TIA Act and the outcomes of the consultation are generally reflected in the conclusions in this fact sheet.

However, the views of Crown Law and the Federal Attorney-General’s Department differ in some ways, particularly the extent to which human viewing of emails for purposes other than network protection prior to receipt by the intended recipient is lawful. The Federal Attorney-General’s Department has expressed the view that human viewing may not be



http://www.comlaw.gov.au/Browse/Results/ByTitle/Acts/Current/Te/0

QGEA

unlawful under the TIA Act provided that no additional enduring copies are made. Crown Law believes that the Act could possibly be read as prohibiting such conduct. However, it would be reasonable for departments to choose to rely on the Federal Attorney-General’s Department interpretation.

2.2 Safe versus reasonably safeThis fact sheet therefore in some cases describes certain conduct as ‘safe’ or ‘reasonably safe’. ‘Safe’ conduct is definitely or most likely legally safe on a conservative interpretation of the TIA Act. ‘Reasonably safe’ conduct is based on a less restrictive interpretation which at least takes into account the views of the Federal Attorney-General’s Department.

The views expressed by the Federal Attorney General’s Department are not legal advice and this fact sheet should also not be taken as representing the views of that Department.

2.3 Other issuesDepartments must keep in mind other issues when establishing and implementing network monitoring practices, including privacy, confidentiality, record keeping, privilege etc. For example, dealing with emails marked ‘private and confidential’ may need to take into account confidentiality laws. Activities that are not prohibited by the TIA Act may still be prohibited by other laws. These fall outside the scope of the TIA Act and this fact sheet.

3 Applying the TIA ActApplying the TIA Act to network monitoring activities can be difficult. Some network monitoring practices are clearly lawful, but others are more dubious due to uncertainties in interpreting the TIA Act. The TIA Act was not originally designed to address computer network issues.

Unfortunately, what is safest for departments for the purposes of protecting departments’ computer system from security threats or misuse is inversely proportional to what is safest from a legal perspective.

The TIA Act suggests that the legally safest approach would be to: not scan or monitor or block or quarantine emails at all allow emails to go directly to the addressees’ mailbox on the mail server, available for

downloading by the addressee allow departmental personnel to access and copy the email only once the email is

available for downloading by the addressee.

This approach is, of course, unlikely to be acceptable to most departments. If any scanning, quarantining or other practices are to be followed outside of the above policy, it is necessary to consider the TIA Act issues surrounding those practices. Due to the lack of certainty in the Act, a degree of legal risk is unavoidable, and this fact sheet is intended to provide an indication of the comparative levels of those risks and identify some practices that may represent reasonably safe compromises between legal risk and operational necessity.

The guidelines below primarily apply to dealings with incoming emails received from third parties outside of the department. External emails are most likely to cause difficulties as it is not possible to reliably put third party senders on notice that their emails may be intercepted. Departments can institute internal processes to ensure employees who send emails are aware that their emails may be intercepted. However, further discussion of the



QGEA

application of the TIA Act to emails sent by employees is included at the end of this fact sheet. In addition Appendix B provides a flowchart which outlines the possible treatment of incoming email under the TIA Act 1979.

3.1 Automated scanning of emailsScanning an email entering a department’s network usually involves making a copy of the email, even if the scanning process is automatic, electronic and the copy is transient. Crown Law advice outlines a range of possible scanning activities commencing with those which will definitely not contravene the TIA Act, and others that are less certain or clearly unlawful. Note that the risks associated with scanning only arise if: the scanning occurs before the email is accessible to the addressee the sender of the email is not aware that the scanning will occur.

3.1.1 SafeUse automated electronic scanning and filtering applications that: do not create copies of the email, however transient, OR scan the email for particular characteristics (such as attachment file types) but only

create a copy of the results of the scan (e.g. types of attachments), OR scan the email but only create copies for network protection purposes (e.g. identifying

viruses, security threats, flooding attacks). Do not keep copies unless necessary for those purposes.

3.1.2 Reasonably safeUse automated electronic scanning for any purpose, including inappropriate content issues, provided that any copies created are only transient. This relies on interpreting the meaning of ‘copying’ in the TIA Act narrowly as only extending to more permanent copying or recording of emails. If automated scanning for inappropriate content (as opposed to scanning for network protection purposes) is to be implemented: before the email is accessible to the addressee, and without the knowledge of the sender

then it is necessary to rely on this interpretation, although it is untested as a matter of law. If, after automated electronic scanning, a human wishes to scan a particular email, then further guidance is provided below.

3.1.3 UnlawfulUse automated electronic scanning and filtering applications that create additional enduring copies of emails for purposes other than network protection duties.

3.2 Dealing with emails after automated scanningDepartments need to match safe scanning with safe dealings with emails. What the department wants to do with the email after scanning will influence the type of scanning they can safely do. The department therefore needs to establish a protocol consistent with both activities.

The more automated the processes of dealing with emails after scanning are, and the less copies that are created, the safer the department will be.



QGEA

3.2.1 SafeIf your scanning processes are safe (see ‘Scanning’ above) then: block or delete suspect emails detected by those scanning processes. Do not keep

copies or view the emails. The TIA Act does not oblige a department to deliver emails quarantine emails if safe or reasonably safe to do so (see ‘Quarantining emails’ below) permit the email to pass to the intended recipient (at which point the email may be

copied or otherwise accessed without risk of contravening the TIA Act) create copies of emails if reasonably required to perform network protection duties (see

‘Dealing with emails in the course of performing network protection duties’ below).

3.2.2 UnlawfulOther than in the course of performing network protection duties, create additional copies of the email, e.g. by taking a copy for the purpose of using as evidence or forwarding it to persons other than the intended recipient, prior to the emails becoming accessible by the intended recipient.

3.3 Quarantining emailsQuarantining an email in this sense means interrupting the email during its ordinary course of passing from the sender’s PC to the intended recipient’s PC and storing it on the computer network.

There are many reasons why a department may wish to quarantine emails. Some of these clearly fall within the scope of network protection and are therefore lawful. Others that may or may not be lawful include storing for the purposes of later manual scanning, e.g: random sampling for misuse excessive attachment size surveillance of an employee suspected of misconduct checking emails identified by automated scanning to contain spam, potentially

inappropriate attachments (e.g. through skin tone or offensive language filters), or other inappropriate uses of email.

As an alternative to manual scanning, the emails might be quarantined while the intended recipient is invited to choose whether or not to request release of the email.

Previous versions of this information sheet considered the legal effect of notifying the intended recipients of emails of the receipt of a suspect email and providing them with the opportunity to have the emails released or deleted. This was identified as a possible method of establishing the legal circumstances necessary to permit quarantining. More recent discussions with the Federal Attorney-General’s Department have indicated that this may not be necessary, though such notifications can still be a useful means of managing quarantining of emails.

3.3.1 SafeQuarantine emails for network protection purposes only.

Access quarantined emails in accordance with section 3.4 Dealing with quarantined emails below.

3.3.2 Reasonably safe



QGEA

Quarantine emails for network protection purposes and other purposes (see examples under ‘Quarantining emails’ above).

Access quarantined emails in accordance with section 3.4 Dealing with quarantined emails below.

3.3.3 UnlawfulCreate multiple copies of quarantined emails.

3.4 Dealing with quarantined emailsOnce an incoming email is quarantined, the TIA Act will also be relevant to how the department deals with the email.

3.4.1 SafeBlock or delete the emails. Do not keep copies or view the emails. The TIA Act does not oblige a department to deliver emails.

Permit the quarantined email to be made accessible to the intended recipient, i.e. at the mail server or the recipient’s PC (at which point the email may be copied or otherwise accessed without risk of contravening the TIA Act).

Inform the intended recipient that the email has been received and invite them to choose whether the email is released or deleted.

Deal with the email in accordance with section 3.5 Dealing with emails in the course of performing network protection duties below.

3.4.2 Reasonably safe Deal with the emails as set out under ‘safe’ above but also permit human viewing of quarantined emails for any purpose provided that no enduring copy is created. Use the information gained from viewing the email for purposes including discipline for inappropriate use, but do not take a copy of the email unless or until it has been made accessible to the intended recipient. Departmental personnel might, for example, conclude from the contents of an incoming email that an employee is possibly using email inappropriately, and then access the employee’s PC to confirm that suspicion and obtain evidence.

This conclusion takes into account discussions between Crown Law and the Federal Attorney General’s Department’s, though as noted above the Department did not provide legal advice and this fact sheet should not be taken as representing its views. However, Crown Law believes the Act could still be interpreted as prohibiting human viewing of quarantined emails for purposes other than network protection and recommends that viewing be limited to the extent reasonably required to perform network protection duties.

Note that while a copy that has been quarantined for network protection reasons can be viewed and the information from the viewing be used to perform network protection duties, the information cannot be used for other reasons – see section 3.5 Dealing with emails in the course of performing network protection duties below.

3.4.3 UnlawfulOther than as reasonably required to perform network protection duties, make copies of quarantined emails or forward them to persons other than the intended recipient prior to the emails becoming accessible by the intended recipient.



QGEA

3.5 Dealing with emails in the course of performing network protection dutiesThe network protection duties exception makes it clear that a responsible person for an department’s computer network may monitor, scan, copy and quarantine (automatically and manually) emails for network protection purposes.

However, there are strict limitations on the use and disclosure of information obtained in the course of exercising the new network protection exception.

The TIA Act expressly permits a person engaged in network protection duties to, in performing those duties: communicate or make use of, or cause to be communicated, information that was

lawfully obtained in the course of network protection duties communicate the information to other responsible persons for the network, or any other

person if the information is reasonably necessary to enable the other person to perform the other person’s network protection duties in relation to the network.

The TIA Act prohibits use of the information for any purpose other than performing those duties, including communication of the information to any other person, recording or giving in evidence.

Therefore, copies of emails and associated information obtained in the course of performing network protection duties must not be used for other purposes such as regulating inappropriate use of the network (other than use threatening network security) or disciplinary proceedings.

There is one further exception that permits information to be disclosed where a serious contravention of the law is suspected. A responsible person for a computer network may communicate the information to an officer of a law enforcement agency if ‘the responsible person suspects, on reasonable grounds, that the information is relevant to determining whether another person has committed a prescribed offence’. ‘Prescribed offence’ is defined to include offences punishable for a period of at least three years.

Records of intercepted communications, such as copies of emails, must be destroyed when they are no longer required for network protection duties.

3.5.1 SafeSo far as it is reasonably necessary to perform network protection duties effectively: use automated or manual scanning to detect emails that are suspected to contain

viruses, Trojan horses, worms, spyware, adware, rootkits or other malware; or to be of a phishing or spoofing nature; or to be part of a denial of service, email bombing or flooding attack

quarantine or delete the emails create copies of the emails manually view the emails block senders of emails that threaten network security block network access by users threatening network security.

Do not use the information obtained from the above processes for any purpose other than performing network protection duties.

Destroy records of intercepted communications, such as copies of emails, when they are no longer required for the purpose of performing network protection duties.



QGEA

3.5.2 UnlawfulAfter manually scanning an email for network protection purposes and detecting inappropriate email use (other than use threatening network security), create or use copies of the emails or information from the emails to inform department management of the inappropriate email use or to discipline the user.

3.6 Spam The network protection exception and the maintenance exception cannot be relied upon to permit scanning for and quarantining of mere nuisance spam that does not threaten the security of the network. The department therefore needs to follow the same rules that apply to any other email. However, as concluded above, automatic scanning of emails for spam and blocking, deletion or quarantining of emails are not necessarily unlawful acts of interception. Provided that the scanning is automated and the email is automatically blocked, deleted or quarantined, no unlawful interception may be involved. It is also reasonably safe to view the quarantined email to determine its nature, provided that no enduring copy is created.

Departments dealing with spam and malicious emails would also have a strong argument that the senders of spam know their emails will be scanned and blocked, quarantined, viewed or otherwise copied.

Departments should also refer to the TIA Act FAQs section for the application of this issue in an operational environment.

3.7 Absent employeesAs viewing or copying an email is only lawful if the email is accessible to the addressee, some changes to department policies concerning emails directed to absent employees may be also required: Strictly speaking, departments should not copy and view emails addressed to

employees who have ceased employment. These email accounts should be shut down and all emails should be blocked at the gateway to the network. Emails that were received by the employee before leaving may be copied and viewed.

If employees are on leave and email is delivered or available to their mailbox, advice from Crown Law suggests that the email can still be regarded as having been delivered to the intended recipient and can therefore be copied or viewed by the department.

If employees have been transferred within the government, email accounts should be shut down and all emails either blocked at the gateway or automatically redirected at that point. Emails that were received by the employee before leaving may be copied and viewed.

4 Application of the TIA Act to typical monitoring activities

4.1 Email drafted by sender but not sentThe department, i.e. the sender’s employer, may copy the draft email, without the knowledge of the sender as the sender has not yet sent the email and therefore it is not communication passing over a telecommunications system. The TIA Act does not apply.



QGEA

4.2 Email transmitted or sent by the senderThe department may not, without the sender’s knowledge, copy the email in the process of the email exiting the department’s ICT system. It is reasonably safe for the department to use automated scanning systems on emails exiting the employer’s ICT system, subject to similar factors and processes relating to incoming mail. However, it is more prudent for departments to ensure that the senders (employees) sending emails know that these activities will take place. Processes for ensuring that employees know that these activities will take place are also an important part of addressing other legal issues such as privacy and confidentiality.

The issue of access to copies of emails in the sender’s (employee’s) sent box involves some uncertainty as it will not usually be possible to ascertain whether the email has been received by the addressee. If it has not, then the communication can still be considered as ‘passing over the telecommunications system’. However, the TIA Act does not expressly address the status of the copy on the sender’s equipment. Ensuring that senders (employees) know that their emails may be copied and viewed should overcome any risks.

4.3 Email passes the gateway into the department’s ICT systemOnce an email enters the department’s ICT system, a number of issues arise. Most of these issues involve email filtering, whether by automated systems or the department’s authorised employees (see # above).

In some circumstance, however, it is clear that the email has ceased passing over a telecommunications system and may be accessed by the department without risk: Email delivered to employee’s terminal and read by employee

The department may copy and view the email as it has clearly ceased passing over the telecommunications system as it has reached the point of being under the control of the addressee. Email delivered to employee’s terminal but not read by the employee

The department may copy and view the email as the email has ceased passing over the telecommunications systems as it has reached the point of being under the control of the addressee. The department may access the email in the memory of the employee’s computer. This applies even if the employee is not aware that the email has been received. Email delivered to department’s mail server and available to employee by

accessing the server with the employee’s email client

The department may copy and view the email as the email at this point is under the control of the employee as the employee will be able to access the email on the mail server by logging on to their computer and using the email client.

Departments should also refer to the TIA Act FAQs section for the application of this issue in an operational environment.

Note

The department’s rights to access emails remain subject to a range of restrictions such as the principles regulating the exercise of administrative power, privacy standards and legislation, common law privileges, department specific legislation and ownership of or lawful access to the ICT equipment on which emails are stored.



QGEA

5 TIA Act FAQsThe following Frequently Asked Questions (FAQs) are intended to provide an indication of the comparative levels of risks associated with different monitoring practices and identify some practices that may represent reasonably safe compromises between legal risk and operational necessity. However, departments should pay close attention to the provisions of the TIA Act and obtain legal advice where necessary in formulating and updating their monitoring practices.

This FAQ was originally released in 2007. It has now been updated to take into account the Telecommunications (Interception and Access) Amendment Act 2010.

5.1 What if we don’t monitor at all?Q. What are the consequences of not monitoring (copying) emails at all? Is there a

statutory obligation on departments to monitor for inappropriate or unauthorised material?

There is no specific, express statutory obligation to monitor emails. However, it is conceivable that legal consequences might arise if emails are not monitored. For example, a claim might be brought for negligence or contravention of the Workplace Health and Safety Act 1995 if someone suffers a mental injury due to exposure to disturbing content. Deleting emails should also be considered in light of a department’s obligations under the Public Records Act 2002. In most circumstances none of these factors will provide legal justification for breaching the TIA Act.

5.2 Inappropriate contentQ. Our department currently scans emails for inappropriate content (the scanning is

an automatic process). Does this count as accessing the email prior to the addressee?

Automatic scanning of email for inappropriate content is unlikely to constitute a contravention of the TIA Act provided that the scanning does not involve the creation of a copy of the email or, if it does, the copy is only transient as part of the scanning process.

Where scanning is conducted for the purpose of protecting the computer network such as detecting security threats, additional exceptions may apply: see section 3.5 of this document.

Q. Assuming that the TIA Act does permit automatic scanning of email for inappropriate content, then what if our department's automatic scanning process identifies inappropriate content, and quarantines suspect emails for viewing by department staff prior to delivery to the addressee?

Quarantining emails may be permissible provided that the email is merely ‘stopped’ in its course of passing over the network, in such a way that only one copy exists at the one time.

Viewing by departmental staff is more problematic. The safest approach is to avoid manual viewing because it may involve the creation of a copy. At the very least, a copy will appear on the viewer's screen and additional electronic copies will probably be cached.

However, a reasonably safe interpretation of the TIA Act is that manual viewing is permissible provided that no additional enduring copies are created. The department staff could not, for example, take a copy of the email for evidence purposes. The staff could only



QGEA

take a copy of the email once it reaches the mail server. Alternatively, the staff could block the email.

Again, where scanning is conducted for the purpose of detecting security threats and Spam, exceptions may apply: See section 3.5 and 3.6 of this document.

5.3 Employee withholds authorisationQ. If a department blocks an email and then forwards an email to the employee

seeking their advice as to what they wish to be done with the email – a) deleted or b) manually reviewed by an authorised person – what does the department do if the addressee responds that they do not authorise either of these options?

The safest approach would be to delete the email. The email to the employee could also provide for automatic deletion after a set number of days by default. The TIA Act does not give employees a right to actually receive emails, and the employer may delete emails at any time. All emails should be treated on a case by case basis if circumstances are particularly sensitive.

Issues concerning manual viewing of emails are discussed briefly in Part 2.2 above. Manual viewing may be permissible provided that no additional enduring copy of the email is made. Given that consent has been withheld, however, it may be particularly important to consider other factors such as confidentiality or privacy in the particular circumstances.

5.4 Blocking emailsQ. Where automated email filtering software is used to scan and block messages

containing unauthorised content, is it reasonable for departments to modify the automated advice that is sent to employees whose messages have been blocked to state that by requesting the release of the message, the employee is providing consent for the content of the message to be manually viewed prior to the message being made accessible to them? I.e. No consent, no delivery?

It is reasonable for a department to state ‘no consent, no delivery’. There is no obligation on the department to deliver emails.

However, whether or not the department can lawfully view the email even with the consent of the addressee raises other issues under the TIA Act. The prohibition in the TIA Act is concerned with the sender’s knowledge that an email will be copied. The consent of the addressee to manual viewing is therefore not enough by itself.

Whether or not manual viewing is permitted is discussed briefly in section 3.3 and 3.5 above. Obtaining consent to manual viewing may also assist in mitigating other factors such as confidentiality or privacy.

5.5 Copying before deliveryQ. Is it within the spirit of the legislation to copy “suspect” emails before they are

actually delivered knowing that they will be delivered? It is a matter of the timing and we are only talking seconds at most - Copied emails are not reviewed prior to them being delivered. (There will be additional costs if suspect emails can only be copied after actual delivery to the addressee’s mail box).

Email may be copied once it is delivered to the addressee’s mailbox on the mail server and is available for downloading by the addressee. It need not have been delivered to the



QGEA

addressee’s PC or read by the addressee. Timing may be an issue even if a separate copy is taken a split second before it arrives in the employees’ mail box on the mail server.

5.6 BackupQ. Our department quarantines suspect emails and sends a notification message to

the addressees inviting them to request release. The quarantined emails are stored each night by backup. Is this allowable?

It would be safest under the TIA Act not to include these emails in backup.

An argument might be made that backup falls within the network protection duties exception as it is something required to effectively perform duties concerning the operation, protection or maintenance of the computer network. However, the legal strength of this argument has not been tested. There is also a strict obligation only to use copies of emails created for the purposes of network protection for those purposes, and to destroy them as soon as they are no longer required for those purposes.

5.7 SpamQ. Our department currently scans emails for Spam (the scanning is an automatic

process). Does this count as accessing the email prior to the addressee?

Automatic scanning of email for Spam is unlikely to constitute a contravention of the TIA Act provided that the scanning does not involve the creation of a copy of the email or, if it does, the copy is only transient as part of the scanning process.

It is possible that additional activities concerning scanning for and dealing with Spam may be lawful under the network protection duties exception in the TIA Act. This would need to be Spam received in quantities that actually threaten network security, not just everyday ‘nuisance’ spam. The network protection duties exception is considered in section 3.5. Spam is considered in section 3.6.

Q. If quarantining/blocking on a server during the delivery of email is deemed not allowable, can suspected Spam be automatically tagged/annotated once the email has arrived in the addressee’s mailbox?

Yes. Once the email has arrived in the addressee's mailbox, it is accessible to the addressee and the TIA Act no longer applies to limit scanning or copying.

Q. Is it then allowable to search for the tag/annotation and the returned results to be deleted?

Yes. Once it’s in the mailbox, scanning and copying is no longer an issue.

Q. My department uses an electronic scanning application that identifies emails that are highly likely to be Spam and deletes them without notifying the addressee. Is this acceptable under the Act?

If the scanning itself is permitted under the maintenance exception, then deletion is no problem under the TIA Act. Deletion is in fact preferable to keeping a copy.



QGEA

Q. Currently, samples are taken of Spam that employees have received and authorised officers create blocking rules preventing this type of Spam through in the future. Will this activity be an acceptable practice under the TIA Act?

Sample taking from email in an employee's mailbox on the mail server is fine as it is already accessible to the addressee.

Q. Can “real” Spam (vendor determined with a high confidence level of accuracy) be treated the same as a virus (“automatically” determined by vendor metrics, captured and deleted immediately or after a quarantine period)?

Yes. If the Spam is detected by automated scanning relying on these types of metrics, it may be captured and deleted immediately or after a quarantine period.

Q. Many of the Phishing attacks encountered by departments have been via Australian bank addresses, for example: anz.com or anz.com.au, suncorp.com.au and so on. In order to ensure that these attacks are not transferred through to the users (generally 1,000 e-mails received per attack), these addresses (all bank domains from which an attack has come) are quarantined and reviewed prior to releasing/actioning. In the above case, does reviewing the individual e-mail before actioning contravene the Act as currently written?

As discussed in section 3.3 and 3.5 above, manual scanning of quarantined emails may be permissible generally provided that no enduring copy is made of the email. However, viewing and creating copies of emails in the course of dealing with Phishing attacks would most likely fall within the network protection duties exception in any case.

Even if the network protection duties exception does not apply, however, it will also most likely be lawful to deal with email coming from known fraudulent domains such as these as senders such as these know that the email will often be scanned.

Q. Notwithstanding difficulties of the department in regards to Spam how are third party Spam filtering services to react to this requirement? Does department use of a Spam service effectively ‘authorize, suffer or permit another person to intercept a communication’?

Provided that the Spam service only utilizes automated scanning of Spam and does not create additional enduring copies, there are unlikely to be any difficulties.



QGEA

Q. In our organisation, received emails detected as Spam are marked in one of two ways: “Blatant” Spam, which is deleted or “Likely” Spam which is placed in a quarantine area. Quarantined emails are kept for a fixed period of time and then automatically deleted, the user is not notified of emails that have been quarantined. The messages in the quarantine folders are not accessed by any other staff members. The volume of email placed into quarantine depends on various factors, but in different parts of the organisation we see up to 15% of received email being put into quarantine. It would be inconvenient and burdensome to the users to notify them of each particular email that is quarantined. It would be equivalent to allowing the Spam to be delivered in the first place. Deleting these emails immediately isn't an option as users occasionally make requests regarding an email they believe they should have received but didn't. They are subsequently given access to their quarantine folder, where they may find a legitimate email which they can clear from quarantine. If a user doesn't request access to their quarantine folder it isn't provided to them. Once they have requested access initially, it is available for them to access directly at any time in the future. It is done this way to avoid confusion for the majority of users who will never need access to their quarantine folder. Do we need to notify the users about these quarantined messages at all?

Automated scanning and quarantining of emails is most likely permissible, provided that no additional enduring copies of the emails are created. There is no obligation to notify users about quarantined messages. As also discussed in 3.3 and 3.5, while manual viewing of emails is best avoided, a reasonably safe interpretation of the TIA Act is that manual viewing is permissible provided that no additional enduring copies are created.

Q. Do we need to provide everyone with access to their quarantine folder even if they haven't asked?

If the department wished to engage in manual viewing of emails or, in particular, taking copies, this would technically be the safest approach as the emails would then clearly be accessible to the addressees and therefore no longer protected by the TIA Act. However, if the department does not wish to do these things, then the department does not need to, and would obtain no legal benefit from, providing everyone with access.

Q. Could we send users a regular, e.g. weekly, message indicating summaries of the messages that have been quarantined?

The mechanics of doing this would need to be considered as it would most likely involve creation of copies of at least part of the emails – eg. the subject. Provided that it is an entirely automated process that delivers the summary to the user and does not keep an enduring copy of the summary email, it seems unlikely that there would be any problem.

Q. Could we continue as we are operating now?

Provided that the factors considered above are considered, the department would be reasonably safe in continuing to operate in the same way.



QGEA

5.8 Emails that threaten the networkQ. Our department currently scans emails for viruses and other code that may

threaten the computer network (the scanning is an automatic process). Does this count as accessing the email prior to the addressee?

Automatic scanning of email for dangerous emails is unlikely to constitute a contravention of the TIA Act provided that the scanning does not involve the creation of a copy of the email or, if it does, the copy is only transient as part of the scanning process.

The TIA Act provides additional protection concerning scanning for and dealing with emails that threaten network security. The network protection duties exception is discussed further in the response to the questions below.

Q. What types of activities fall within ‘network protection duties’?

Network protection activities include activities intended to protect the communication of and access to information on the network, as well as network infrastructure. The TIA Act has been criticized for not making the scope of the term more clear. However, it seems likely that network protection duties extend to activities intended to detect and protect against viruses, spoofing, phishing, Trojan horses, worms, spyware, adware, rootkits and other malware, denial of service, email bombing or flooding attacks, and potentially harmful file types. It may also cover activities in the course of penetration testing and file back-up procedures.

However, network protection duties do not extend to protection of network users’ wellbeing or efficiency, dealings with spam of ‘nuisance’ value only or monitoring or filtering activities aimed at detecting breaches of acceptable use policies.

Q. Who can take advantage of the network protection exception?

Only specially authorised officers can engage in network protection duties and take advantage of the exception. The officers should be authorised in writing by the ‘responsible person’ for the department – the director-general or chief executive officer – or his or her delegate, such as the chief information officer. The authorisation chain should therefore be carefully documented.

Q. If automated scanning detects an email that I suspect threatens the computer network in some way, what can I do with the email?

You can block or delete the email without any need to rely on the network protection duties exception. You could also permit the email to proceed to the addressee’s mail server if it is not too dangerous or you are happy to take a copy from there, given that taking a copy once the email is available to the intended recipient is not subject to any TIA Act restraints.

However, if you want to consider the email further, for example to determine whether or not it is really a threat, or to run diagnostics, or to use it as a sample or extract information to assist in detecting or blocking other threats, then you may quarantine or create additional copies of it provided that you stay within the network protection duties exception. This exception is limited to the activities outlined in the previous question.



QGEA

Q. What can I do with information I gain from viewing or copying an email under the network protection duties exception?

You can use the information to carry out network protection duties or communicate the information to other persons such as other authorised users for the same purpose. You must not use copies of emails and associated information for other purposes such as regulating inappropriate use of the network (other than use threatening network security) or disciplinary proceedings.

Records of intercepted communications, such as copies of emails, must be destroyed when they are no longer required for network protection duties.

Q. What if in the course of carrying out network protection duties I discover some unlawful activity?

You should notify the responsible person for the computer network. This will be the director-general or chief executive officer, or possibly the Chief Information Officer as a delegate. The information may only be provided to an officer of a law enforcement agency if the responsible person him or herself suspects, on reasonable grounds, that the information is relevant to determining whether another person has committed an offence punishable for a period of at least three years. You must not, for example, notify internal disciplinary officers unless they are themselves authorised officers.

5.9 Knowledge of senderQ. If a department changes its disclaimer and policy to identify that blocked emails

will be stored on the corporate network, and the emails may be viewed by authorised staff (clearly outlining the staff and circumstances) will this satisfy the TIA Act?

This will assist. However, it must be borne in mind that an department’s disclaimer and policy only works to the extent it lets senders know that the emails may be intercepted. It is the knowledge of the sender that is necessary.

5.10Without the knowledge of senderQ. In attempting to mitigate advising external users that corporate emails are

scanned for whatever reason, is the placement of advisories to this effect on corporate web sites etc sufficient in respect to "the sender knows this will occur"?

Advisories are a good idea, whether on the department’s web site or e.g. appended to emails sent by departmental employees. But in each case, it’s a question of fact whether the sender subjectively knew it would be intercepted.

5.11Emails from government addressesQ. Can we assume that all senders of emails from Government addresses know that

their emails may be intercepted?

In each case, it’s still a question of fact whether the sender knew the email would be intercepted. The department needs to assess how much confidence it has: that its own staff know the department’s policies



QGEA

that staff from other departments know that emails to the department may be intercepted.

It is safest to treat all emails the same. If the department is confident that its own employees know the department’s policies, then it could consider intercepting internal email.

5.12Forwarding emailsQ. What about email forwarded from a user’s mailbox to another user?

Once the email has arrived at the mail server or at a user’s mailbox, the TIA Act ceases to apply.

5.13Non-user specific email addressesQ. What about non user-specific email addresses, e.g.: role or position based, or team

email addresses? Does email sent to individuals at these addresses need to be handled in any particular way?

There are three categories within which an “Intended addressee of a communication” may fall under. These are: If the communication is addressed to an individual (either in the individual’s own

capacity or in the capacity of an employee or agent of another person)—the individual; or

If the communication is addressed to a person who is not an individual—the person; or If the communication is not addressed to a person—the person who has, or whose

employee or agent has, control over the telecommunications service to which the communication is sent.

Once email arrives in a role/team mailbox, there are no problems as the TIA Act does not apply. Prior to that point, however, it is necessary to consider who is the actual intended recipient. Team email address may fall within the third category considered above – email not addressed to a person. Therefore, the department may have general rights of access to the email as it controls the telecommunications service. However, in some cases emails sent to role-based addresses or even team based addresses may really be ‘addressed’ to an individual, particularly if an individual person or a small, identifiable group of people is involved. In the TIA Act, ‘address’ does not necessarily mean the same thing as an email address as it is supposed to be technology neutral. An address could be, for example, a header in email that says: ‘Attention: [name of officer]’.

Generally, unless it is proposed to have special monitoring or quarantining protocols for these addresses prior to receipt on the mail server, there should be no special issues under the TIA Act. Confidentiality and privacy considerations may arise when it comes to access to and redirection of personal emails in these situations, when individual recipients can be identified.

5.14Employees on leaveQ. What if a staff member is on extended leave and their email is forwarded to their

replacement?

The TIA Act ceases to apply once an email is accessible to the addressee, i.e. it is under the addressee's control or has been delivered to the telecommunications service provided to the intended recipient. It is likely that an email arriving in an absent employee's mailbox



QGEA

on the server is still 'accessible' in one or both of these ways. Accordingly, it is most likely that the department may continue to deliver email to the absent employee's mailbox, and the email may be forwarded to the employee's replacement. It would not be necessary to exclude the mailbox from back ups or automatic indexing or searching tools.

5.15Employees who have left a departmentQ. Is it permissible to automatically redirect messages addressed to employees who

have ceased employment if this is being done at the request of the employee prior to their leaving (i.e. to allow redirection of messages to the new employee who will be fulfilling the role)?

This is not clear. Once an employee has left, it may be difficult to claim that a new email arriving at the mail server is still under the employee's control, and the employer is no longer providing the employee with a telecommunications service. A cautious approach would be to simply block all emails for that address. Short of this approach, the department should at least obtain clear and specific written consent from the ex-employee in order to support the argument that employee had ‘control’ over the emails.

5.16Who should review emails?Q. Who would you recommend as an authorised employee for reviewing of emails?

E.g. what level; should they be from an area outside of IT?

This is a matter for department internal risk assessment and is not covered by the TIA Act. For example, the department should ensure that it has clear guidelines, policies and procedures for employees reviewing emails.

However, a person engaged in reviewing emails in the course of network protection duties should be specially authorised as outlined in section 3.5 above.

5.17Who should review emails of absent employees?Q. Regarding absent employees, who would you recommend be authorised to copy

and view the emails? Should this be different to the role in the question above?

For general monitoring, or if special access is required, then the answer is as for Question 5.15 above. Once the email is accessible, i.e. on the mail server or in the mailbox, other employees may view the email without TIA Act implications. However, there may be privacy or confidentiality issues.

5.18Identifying reviewersQ. When advising the intended addressee of a quarantined email, are departments

required to specifically state who or which workgroup in the department may be viewing the message?

The TIA Act does not require this. There may be privacy or confidentiality issues.



QGEA

5.19Preventing loss of recordsQ. How can the department prevent intentional or unintentional loss of records that

have been stored on a personal mailbox and not placed on an approved document management system prior to employment termination?

Once the email has reached an addressee’s personal mailbox, on the mail server or the addressee's PC, the TIA Act does not apply to prevent copying, even if the employee is terminated, and even if the employee never read the email.

5.20Retrieval after terminationQ. Where a personal email mailbox may have sensitive or confidential information

that should have formed part of the department's records can an approved officer retrieve this information after the employment has terminated?

As above, if the email reached the personal mailbox at a time when it was accessible by the intended recipient (i.e. before termination of employment), the TIA Act does not apply.

5.21Compliant to CMCQ. A former employee of the department makes a complaint to the CMC re

inappropriate emails being sent around the workplace when they were employed. In the course of the investigation both current and former employees of the department have their email stores restored and viewed as part of the process.

See above in relation to ‘Retrieval after termination’.

5.22Email storage for ex-employeesQ. Can personal email mailboxes for terminated staff be deleted from the network?

The TIA Act does not prohibit deletion of email mailboxes for terminated staff.

Q. At what time following termination should this occur? If so, should they be retained in any other form off-line?

The TIA Act does not apply. Whether they should be retained is a record keeping matter.

5.23LiabilityQ. Under what circumstances would an individual be liable rather than a department

with regard to Email monitoring and the TIA Act? What protection do ‘authorised’ staff have if required to review email with these statements?

Liability for an offence is personal. A civil claim could be made against either the department or the individual. The Crown will accept full responsibility for civil claims ‘where the Crown employee concerned has diligently and conscientiously endeavoured to carry out assigned duties’ (Cabinet Decision No. 37501 of 20 April 1982).



QGEA

5.24Web based emailQ. Webmail is not delivered in the manner covered by the TIA Act – it does not come

through department firewalls and is not delivered to an department mail box. We do scan text content and block if inappropriate content is detected?

The TIA Act applies to all communications passing over a telecommunications system, and therefore applies to all Internet use, including web based email. This document are primarily concerned with the implications of the TIA Act for monitoring emails using departmental addresses, and additional advice should be obtained concerning the application of the legislation to other activities.

Q. Is it advisable/recommended to only allow staff to access and use “.qld.gov.au” email addresses using departmental facilities and devices, e.g. ban access to webmail (yahoo, google, hotmail etc)?

This is a matter for department internal risk assessment.

5.25Smart phones/PDAsQ. How does the TIA Act affect Smart phone / PDA mobile device usage and

monitoring?

The TIA Act is intended to be ‘technology neutral’. The same issues as considered for emails must be applied. The lawfulness of dealings with mobile device may therefore depend on how the email account for the device is set up. If the email is still based on a mail server within the department's network, then email directed to a mobile device may be treated the same as normal email. It may therefore be viewed and copied from the addressee’s mailbox on the server, whether or not the addressee has downloaded the email to the mobile device. Email stored on the device itself may be retrieved from the device only if the department has legal access to device, for example if it owns the device or has the owner's consent.



QGEA

Appendix A Definitions and terms for interpreting the TIA Act

The following information regarding definitions should be considered when developing departmental monitoring processes.

Term Definition/interpretation

Unlawful interception

Section 7(1) of the TIA ActA person shall not:a) intercept;b) authorise, suffer or permit another person to intercept; orc) do any act or thing that will enable him/her/another person to intercept,a communication passing over a telecommunications system.Consequences – breach of Section 7(1) S 105 – an offence punishable by up to two years imprisonment, to intercept or to use

the information. S 107A – civil remedies, including damages and injunctions.

A ‘communication’ Includes emails, as well as telephone conversations (including VOIP) and other forms of electronic communication.

‘Intercept’ Means listening to or recording the communication without the knowledge of the sender: Recording is defined as ‘recording or copying the whole or a part of a

communication’. ‘Listening’ does not apply to emails – it does not equate to reading. ‘Whole or part’ means that copying attachments only is still copying.

What is ‘copying’? To copy is to duplicate or reproduce something. The creation of copies is an essential part of the transmission of emails. The

application of the concept to emails is therefore often artificial. However, the TIA Act issues for an agency arise once an email enters the agency’s

computer network. For copies made by an agency, there is no reliable indication that the length of time a

copy exists or, in most cases, the purpose for which it is created is important when determining whether a breach has occurred.

A copy – lawful or unlawful – may therefore include:– the first record of the email on the agency’s system– the copy on the mail server– the copy on the recipient’s PC– a copy included in a network backup– a quarantined copy of email– possibly, a transient copy created for automatic electronic scanning purposes– the copy of a viewed email that is cached in the viewer’s PC.

When a human reads or views an email, the email is visible on the monitor and also in the viewer’s PC or other computer equipment. Viewing an email may therefore be tantamount to copying the email.

However, the Federal Attorney-General’s Department favours the view that viewing an email does not constitute making a copy, provided that an enduring copy of the email (e.g. a copy in the cache of the PC) is not made as a result of the process. The



QGEA


concept of an ‘enduring copy’ is discussed further later in this fact sheet.

‘Passing over a telecommunications system’

An email commences passing over a telecommunications system when the sender clicks ‘send’.

It continues to pass until it becomes accessible to the intended recipient. While it is passing over a telecommunications system, the prohibition on interception

applies.

‘Accessible’ A communication is accessible if it:– is under the control of the intended recipient, OR– has been delivered to or received by the telecommunications service provided to

the intended recipient. An email is therefore accessible if:

– the email has been accessed by the addressee, whether or not the email has been read, OR

– the email is available to the addressee, even if the addressee is not aware that the email exists, e.g. the email is on the employee’s PC, or is on the mail server and able to be downloaded by the employee from their PC, but the employee is not logged on and has not yet downloaded the email.

‘Intended recipient of a communication’

The intended recipient is the addressee. If the communication is addressed to an individual (either in the individual’s own

capacity or in the capacity of an employee or agent of another person) – the intended recipient is the individual.

If the communication is addressed to a person who is not an individual – the intended recipient is the person.

If the communication is not addressed to a person – the intended recipient is the person who has, or whose employee or agent has, control over the telecommunications service to which the communication is sent.

‘Network protection duties’

A person may record or copy an email if the person is authorised, in writing, by a responsible person for a computer network to engage in network protection duties in relation to the network.

The network protection duties exception is a new exception introduced by the 2010 amendments to the TIA Act.

The TIA Act defines ‘network protection duties’, in relation to a computer network, to mean duties relating to the operation, protection or maintenance of the network. The definition also includes ensuring that the network is appropriately used by employees, office holders or contractors but this applies only to the Queensland Police and the Crime and Misconduct Commission computer networks.

The TIA Act does not define computer network. The introduction of the network protection duties exception has been criticized due to

the lack of certainty as to the types of activities that fall within the exception. The Explanatory Memorandum to the 2010 amendments stated that network

protection activities include activities intended to protect the communication of and access to information on the network, as well as network infrastructure.

Crown Law has provided guidelines, after consideration of the TIA Act, the background to the amendments (including the Explanatory Memorandum) and discussions with the Federal Attorney-General’s Department.

It seems likely that network protection duties extend to:– blocking, quarantining, analysing or filtering practices intended to detect and

protect against:



QGEA


- viruses, spoofing, phishing, Trojan horses, worms, spyware, adware, rootkits and other malware;

- denial of service, email bombing or flooding attacks; and

- potentially harmful file types; – penetration testing; and– file back-up procedures.

The exception applies only so far as it is reasonably necessary for the person to intercept the communication in order to perform those duties effectively.

Network protection duties do not extend to:– protection of network users’ wellbeing or efficiency;– dealings with spam of ‘nuisance’ value only; or– monitoring or filtering activities aimed at detecting breaches of acceptable use

policies. The exception also does not permit the interception of speech communications. The

Explanatory Memorandum indicates that voice communication in the form of packet data, such as Voice over Internet Protocol (VoIP), may be interrogated but the data cannot be reconstructed in order to listen to the actual voice communication.

‘Responsible person for a computer network’

The responsible person for a computer network is the ‘head’ (however described) of the body operating the network. In the case of an agency computer network, the responsible person will be the officer in the position of director-general or chief executive officer. This officer could then delegate the position to other persons such as the chief information officer. Multiple persons may hold the position simultaneously in respect of one organisation.

The responsible person may then authorise other officers ‘to engage in network protection duties’ so that they can take advantage of the network protection duties exception. No particular form of authorisation of a responsible person is prescribed. However, it should be in writing signed by the director-general or chief executive officer (or equivalent) of the organisation.

Maintenance exception

A person may record or copy an email where it is reasonably necessary for the person to intercept the communication in order to effectively perform duties concerning the maintenance of equipment or a line.

Prior to the introduction of the network protection duties exception, it was necessary to consider whether this exception could be relied on to permit the type of activities now covered by the network protection duties exception. With the introduction of the new exception, the maintenance exception is unlikely to be important to network monitoring activities.

Original or copy? The concepts of ‘original’ and ‘copy’ are difficult to apply to emails. However, it is necessary to apply these terms in order to interpret the TIA Act. The ‘original’ of an email could be seen as all instances of an email that occur during in the ordinary course of the email passing from the sender’s PC to the intended recipient’s PC. Copies of the email, in the sense of electronic signals, exist at various points through this process but are transient.A ‘copy’ of an email could be seen as any copy of the email created outside of this process, prior to the email becoming accessible to the intended recipient by lodging on the mail server.A reasonably safe interpretation of the ‘original’ and ‘copy’ dichotomy indicates that emails can be quarantined. If the email is ‘stopped’ before it lodges on the mail server, e.g. by quarantining it, no copy is made. The quarantined email is the original. The



QGEA


creation of an additional copy from that quarantined copy (e.g. to use as evidence) would be copying.

Transient or enduring copies?

Accessing an email is only unlawful interception if ‘recording’ occurs. The TIA Act defines recording to including copying the whole or part of a communication. There are two possible interpretations of ‘copying’: copying is any reproduction of the email (other than a copy that would occur at some

point in the ordinary course of the email passing from the sender’s PC to the intended recipient’s PC). This would include copies made for the purposes of automated scanning or for viewing by a human, even if the copy is immediately deleted once the scanning or viewing is completed.

copying is limited to the making of an ‘enduring’ copy of the email. On this interpretation, the TIA Act does not prohibit an automated scanning application making a copy of the email provided that it does not retain a copy. It also does not prohibit a human viewing the email, provided that they do not retain an enduring copy.



QGEA

Appendix B Possible treatment of incoming email under the TIA Act

Scan shows it is a threat to network

security?

Scan shows it should be deleted (eg. known spam, malware, excess

size)?

Email arrives at network boundary

▪ Automated scanning (eg spam, size limits, threats to network security, unauthorised use).

▪ No enduring copies made at this level

Scan shows it may be unwanted spam (not threat or unauthorised

use)?

Scan shows unauthorised use?

May notify intended recipient of deletion

Automated deletion or

blocking. Do not keep copy

Quarantine email. Safest not to

View 2

Quarantine email. Only view for

NPD 1Automated

decision based on category

Notification email to intended

recipient

Authorised person manually scans and can use information & make additional copies but only

for performing NPD

Does intended recipient request

release?

Send to mail server for intended recipient

Delete Safest not to view Do not keep copy

1 NPD = Network Protection Duties

Does manual scan

confirm it threatens network

security?

May permit delivery to

intended recipient

Delete copies & information when no longer needed for NPD. Do not keep copy

May take any other action required for network security, including

viewing, passing onto responsible person, notifying intended

recipient and arranging release 3

If manual scan indicates that email does not threaten security but indicates unauthorised use all copies made and information

recorded must still be destroyed 3

Yes

No

Release

Quarantine email. Do not view 2

Notification email to intended

recipient

Does intended recipient request

release?

Delete Safest not to view Do not keep copy

Notify

3 The copies and information cannot use for any reason other than NPD unless the information is relevant to determining whether a person has committed a prescribed offence, in which case it may be provided to a law enforcement agency

Delete

NoNoNo

YesYesYesYes

Yes No

No

No

Yes

Authorised person or another officer may view and copy message here and use for any purpose

subject to other laws eg. privacy

Start

2 Possible manual scanning of quarantined emails for any purpose may occur here provided further enduring copy is not made, based on Australian Government Attorney-General’s Department interpretation

1 2 43



QGEA

Version historyDocument authors: Crown Law, IPCO

Filename: document.doc

Version Date Author Description

0.0.1 20 May 2011 IPCO Convert to new template

0.0.2 August 2011 Policy Governance, ICT Policy and Coordination Office

Proofread, edit

0.0.3 September 2011 Policy Governance, ICT Policy and Coordination Office

Minor edits

0.0.4 January 2012 ICT Policy and Coordination Office

Minor edits as a result of formal QGEA consultation.

1.0.0 July 2012 Queensland Government Chief Information Office

Approved by Executive Director, QGCIO.



Click here and type GUIDELINE/QGEA STANDARD title€¦ · Web viewHowever, if you want to...

Documents

Transcript of Click here and type GUIDELINE/QGEA STANDARD title€¦ · Web viewHowever, if you want to...