The public notification by Optus of its data breach (Background) has triggered a conversation about what customer data needs to be obtained, retained and destroyed and when, as well as investigations and privacy law reform.

Privacy law reform

In an interview on ABC Insiders on 2 October 2022 the Attorney General said:

“I think that companies should not store information forever. It seems to have been the case, with Optus, keeping the very personal data of customers who had ceased to be customers years ago and I’ve yet to hear a reason why that was going on. In particular, it’s a concern because Optus failed to keep that information safe. So, one of the settings in the Privacy Act is that information that belongs to Australians is only to be used for the purpose for which it’s collected and if the purpose here was to identify someone who’s opening an account or getting a phone from Optus that’s the end of it…

companies throughout Australia should stop regarding all of this personal data of Australians as an asset for them, they actually should think of it as a liability… we are going to look very hard at the settings in the Privacy Act and I may be bringing reforms to the Privacy Act before the end of the year to try and both toughen penalties and make companies think harder about why they are storing the personal data of Australians.”

Investigations

The Office of the Australian Information Commissioner (OAIC) has announced an investigation into the personal information handling practices of the Optus companies.

The OAIC’s investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business.

The investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles (APPs), including enabling them to deal with related inquiries or complaints.

The OAIC’s investigation will be co-ordinated with that of the Australian Communications and Media Authority (ACMA)

ACMA will investigate Optus’ obligations as a telecommunications service provider, including relating to the acquisition, authentication, retention, disposal and protection of personal information, and requirements to provide fraud mitigation protections.

Data retention and destruction checklist

Here is a general checklist for financial services providers of information you need to retain and for how long.

As I have noted, a data retention policy should also include a data destruction policy and a data breach notification plany.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.