https://www.oaic.gov.au/privacy/the-privacy-act
Covers it pretty well. On Tue, 27 Sept 2022 at 16:36, James Murphy <[email protected]> wrote: > > Does anyone know which laws cover the data they were keeping? > > Did a search for anything with "telecommunication" in the name (link), found > 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act > 1997 had 3 files, all others had 1 file), and can't find anything that > mentions keeping this level of data. > > The closest thing I found was in the following: > > C2022C00151 - Telecommunications (Interception and Access) Act 1979 > C2015A00039 - Telecommunications (Interception and Access) Amendment (Data > Retention) Act 2015 > C2021A00078 - Telecommunications Legislation Amendment (International > Production Orders) Act 2021 > > which contained the following two sections that seem to cover identification > information - there doesn't seem to be anything that says they need to > collect or store to the level that Optus seems to have done.. Almost reads > like you could store name and address (without DOB?) and that would be > adequate enough (but I'm not a lawyer so who knows).. Am I looking in the > wrong place/at the wrong laws? > > 13 Identification of a particular person > For the purposes of this Schedule, a particular person may be identified: > (a) by the person’s full name; or > (b) by a name by which the person is commonly known; or > (c) as the person to whom a particular individual transmission service is > supplied; or > (d) as the person to whom a particular individual message/call application > service is provided; or > (e) as the person who has a particular account with a prescribed > communications provider; or > (f) as the person who has a particular telephone number; or > (g) as the person who has a particular email address; or > (h) as the person who has a particular internet protocol address; or > (i) as the person who has a device that has a particular unique identifier > (for example, an electronic serial number or a Media Access Control address); > or > (j) by any other unique identifying factor that is applicable to the person. > > > and > > 187AA Information to be kept > (1) The following table sets out the kinds of information that a service > provider must keep, or cause to be kept, under subsection 187A(1): > Item > > 1 > > Topic > > The subscriber of, and accounts, services, telecommunications devices and > other relevant services relating to, the relevant service > > Description of information > > The following: > > (a) any information that is one or both of the following: > > (i) any name or address information; > > (ii) any other information for identification purposes; > > relating to the relevant service, being information used by the service > provider for the purposes of identifying the subscriber of the relevant > service; > > (b) any information relating to any contract, agreement or arrangement > relating to the relevant service, or to any related account, service or > device; > > (c) any information that is one or both of the following: > > (i) billing or payment information; > > (ii) contact information; > > relating to the relevant service, being information used by the service > provider in relation to the relevant service; > > (d) any identifiers relating to the relevant service or any related account, > service or device, being information used by the service provider in relation > to the relevant service or any related account, service or device; > > (e) he status of the relevant service, or any related account, service or > device. > > > > On 27 Sep 2022, at 11:12, Nathan Brookfield > <[email protected]> wrote: > > They’re legally obligated to retain it but why it’s on the API and why it’s > not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody > clear :( > > On 27 Sep 2022, at 11:02, [email protected] wrote: > > My understanding was that the data included the 100 points of ID info. Why > are they retaining this? Surely after confirming the 100 points there only > needs to be a record "100 points provided"=true and not retain the actual > details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. </onlyhalfsarcasticherewhydoesthiskeephappening> > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <[email protected]> > wrote: > > Hi everyone, > Obviously a big week in telco and cybersecurity. As part of my work > I am on the Australian Cyber Security Industry Advisory Committee as > an industry representative. > I am keen to look at opening up a dialogue with more and more telco, > DC and Cloud CISO’s on what they are doing around this issue and > looking to take a proactive step towards best practice on customer > data and system security. > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed > to help each other continually increase in security posture through > best practice, but also working with each other as an industry. > Are people keen on having a online/VC session sometime in the next > few weeks where like-minded industry participants get together and > discuss security, retention, encryption, threat detection etc.? If > so, just ping me directly and if there is enough interest I will > send out an invitation to the list for a call. > Cheers > [b] > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > [email protected] - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list [email protected] https://lists.ausnog.net/mailman/listinfo/ausnog
