At least one university has put out a tender for a “solution” to meet its requirements under the Act.

But others, including the University of Melbourne, are yet to decide how to respond.

Melbourne University was “still in the process of evaluating the consequences and implications of the Act,” a spokesman, David Scott, told The Citizen. “It will continue to work with colleagues across the sector on this issue.”

The lobby group Universities Australia has argued that universities should be exempt from data retention obligations, but the Attorney-General’s Department says they must collect certain data if they meet the legislative definition of a carrier.

However, Bruce Arnold, an assistant professor in the University of Canberra’s law school, slammed the data retention legislation.

“What we’re seeing is bad law, badly communicated and badly implemented,” he said. “It has been badly communicated, evident in the uncertainty of the universities and of the Attorney-General’s Department regarding whether and how those institutions are covered.”

Angela Daly, vice chancellor’s research fellow in the law department at Queensland University of Technology, did not appear surprised by the universities’ confusion.

“I’d say that, in general, implementing this data retention legislation has been very difficult and confusing for a number of bodies, universities included – let alone costly,” she said.

In April, Ballarat-based Federation University put out a tender on tendersearch.com.au calling for the “provision of a solution to meet the requirements of the Data Retention Legislation obligations” under the Act. However, the University declined to eleborate on what it understood to be its obligations under the legislation.

When asked whether universities were required to retain data under the Act, a spokesman for the Attorney-General’s Department said if a university met the legislative definition of a carrier, carriage service provider or internet service provider it “may have data retention obligations”.

“Services such as internet access, telephony, SMS and email have data retention obligations when offered by providers,” he said.

Dr Daly said many aspects of campus life and academic work could be affected should universities be required to retain data.

“Things that could be impacted by this kind of scheme on university campuses are: academic freedom; freedom of assembly; trade union activities for staff; student union activities; campaigns,” she said.

Meanwhile, a Universities Australia spokesperson said obligations under the Act could include the rentention of non-content metadata relating to phone calls, emails and texts for up to two years.

“There are exceptions for universities under the Act, although not all activities of universities may be regarded by the government as covered by that exception.”

“The [Attorney-General’s] Department is working with providers to understand how the legislation applies to their specific service offerings and business models.” — department spokesman 

The spokesperson said the group had pushed its point with government.

“Universities Australia has advocated strongly on behalf of universities to minimise the impact on universities and has provided high level advice to the sector on exemptions. The particular application of the Act may vary with each university.”

In January 2015, Sydney University vice-chancellor Michael Spence called on the government “to exempt universities from requirements to retain telecommunications data in relation to their own internal networks”.

But the Attorney-General’s spokesman said a university’s obligations under the Act would “differ based on the specifics of each service”. “The Act excludes certain services from obligations,” he said. “For example, a service that a provider makes available only to its employees does not attract obligations.”

He added: “The Department is working with providers to understand how the legislation applies to their specific service offerings and business models.”

The Office of the Communications Access Co-ordinator within the Attorney General’s Department was currently overseeing the implementation of the Act’s requirements within the university sector. Several universities had been in touch with the co-ordinator to check their obligations, but the spokesman would not name the specific institutions.

“If the Attorney-General’s Department cannot — or will not — give a clear answer and hasn’t published clear guidelines that are readily understood by institutions, we need to be asking some serious questions about both the legal framework and the effectiveness of the department.” — assistant professor Bruce Arnold, University of Canberra Law School

Dr Arnold said the Department’s explanation of the sector’s obligations was unsatisfactory.

“If the Attorney-General’s Department cannot — or will not — give a clear answer and hasn’t published clear guidelines that are readily understood by institutions, we need to be asking some serious questions about both the legal framework and the effectiveness of the department,” he said. “We should expect the department to have learnt from the Attorney-General’s inability to explain what is meant by metadata.”

Dr Daly argued such data retention would not be legal in other countries.

“I think it’s also important to emphasise that this is essentially a warrantless mass surveillance scheme which would not be legal in other countries, especially those of the European Union, which still includes the UK, for the moment anyway,” she said.

Ultimately, Dr Arnold said academic staff and students could be tempted to switch to what were perceived to be more secure communications systems, such as instant message app Wickr.

“After all, some of Australia’s brightest and feistiest network engineers and software specialists teach or study at universities,” he said. “Lack of transparency about the current metadata regime fosters distrust of law making and implementation; it’s not justified by the weak argument that disclosure and consistency foster terrorism and other offences.”