HI, There's more than just the telco and privacy laws though and what you think your company is required to adhere to can be non-trivial to determine and may not be consistent.
eg. https://www.legislation.gov.au/Details/C2022C00179 If a telco is providing devices on hire-purchase or lease (see 6.(2) 10 and 12 for instance) as often people do with mobile carriers for phones then the requirement to maintain that information is 7 years as per part 10. MMC On Tue, Sep 27, 2022 at 11:00 PM James Murphy <[email protected]> wrote: > Looking over the Privacy Act and oaic.gov.au, I still can't see any laws > about a telco (or any business other than a credit reporting body) storing > this level of information - specifically a drivers license number or date > of birth (passport number isn't mentioned) > > "identification information" is the term that includes a drivers license > number and date of birth > "Credit information" is the term that includes "identification > information" about an individual (therefor includes drivers license number > and date of birth) > > There are only laws about how long a credit reporting body stores this > information. A credit provider (ie Optus) doesn't need to store it, but > does need to provide it to the credit reporting body - so they need to > collect it and share it but they don't need to store it. > > For the data a telco does need to store - which looks to be added in the > "Telecommunications (Interception and Access) Act 1979", they all talk > about "personal information" (which doesn't specifically include date of > birth or drivers license number, so you would be complying with that law if > you didn't store those pieces of data - provided you can reasonably > identify a person with the data you do store) > > From the Privacy Act: > > *personal information* means information or an opinion about an > identified individual, or an individual who is reasonably identifiable: > (a) whether the information or opinion is true or not; and > (b) whether the information or opinion is recorded in a material form or > not. > Note: Section 187LA of the Telecommunications (Interception and Access) > Act 1979 extends the meaning of personal information to cover information > kept under Part 5-1A of that Act. > > > So the argument that they need to store this by law - to me (a software > developer/techy who sometimes can spend hours reading shit like this trying > to pick holes in it - so: not a lawyer) - doesn't seem valid. > > If this is required by law, I would love to understand how (ie which > laws/acts cover it) > > > > On 27 Sep 2022, at 16:46, Serge Burjak <[email protected]> wrote: > > https://www.oaic.gov.au/privacy/the-privacy-act > > Covers it pretty well. > > On Tue, 27 Sept 2022 at 16:36, James Murphy <[email protected]> wrote: > > > Does anyone know which laws cover the data they were keeping? > > Did a search for anything with "telecommunication" in the name (link), > found 71 results and downloaded 73 PDF files (C2022C00170 > Telecommunications Act 1997 had 3 files, all others had 1 file), and can't > find anything that mentions keeping this level of data. > > The closest thing I found was in the following: > > C2022C00151 - Telecommunications (Interception and Access) Act 1979 > C2015A00039 - Telecommunications (Interception and Access) Amendment (Data > Retention) Act 2015 > C2021A00078 - Telecommunications Legislation Amendment (International > Production Orders) Act 2021 > > which contained the following two sections that seem to cover > identification information - there doesn't seem to be anything that says > they need to collect or store to the level that Optus seems to have done.. > Almost reads like you could store name and address (without DOB?) and that > would be adequate enough (but I'm not a lawyer so who knows).. Am I looking > in the wrong place/at the wrong laws? > > 13 Identification of a particular person > For the purposes of this Schedule, a particular person may be identified: > (a) by the person’s full name; or > (b) by a name by which the person is commonly known; or > (c) as the person to whom a particular individual transmission service is > supplied; or > (d) as the person to whom a particular individual message/call application > service is provided; or > (e) as the person who has a particular account with a prescribed > communications provider; or > (f) as the person who has a particular telephone number; or > (g) as the person who has a particular email address; or > (h) as the person who has a particular internet protocol address; or > (i) as the person who has a device that has a particular unique identifier > (for example, an electronic serial number or a Media Access Control > address); or > (j) by any other unique identifying factor that is applicable to the > person. > > > and > > 187AA Information to be kept > (1) The following table sets out the kinds of information that a service > provider must keep, or cause to be kept, under subsection 187A(1): > Item > > 1 > > Topic > > The subscriber of, and accounts, services, telecommunications devices and > other relevant services relating to, the relevant service > > Description of information > > The following: > > (a) any information that is one or both of the following: > > (i) any name or address information; > > (ii) any other information for identification purposes; > > relating to the relevant service, being information used by the service > provider for the purposes of identifying the subscriber of the relevant > service; > > (b) any information relating to any contract, agreement or arrangement > relating to the relevant service, or to any related account, service or > device; > > (c) any information that is one or both of the following: > > (i) billing or payment information; > > (ii) contact information; > > relating to the relevant service, being information used by the service > provider in relation to the relevant service; > > (d) any identifiers relating to the relevant service or any related > account, service or device, being information used by the service provider > in relation to the relevant service or any related account, service or > device; > > (e) he status of the relevant service, or any related account, service or > device. > > > > On 27 Sep 2022, at 11:12, Nathan Brookfield < > [email protected]> wrote: > > They’re legally obligated to retain it but why it’s on the API and why > it’s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody > clear :( > > On 27 Sep 2022, at 11:02, [email protected] wrote: > > My understanding was that the data included the 100 points of ID info. > Why are they retaining this? Surely after confirming the 100 points there > only needs to be a record "100 points provided"=true and not retain the > actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. </onlyhalfsarcasticherewhydoesthiskeephappening> > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <[email protected]> > wrote: > > Hi everyone, > Obviously a big week in telco and cybersecurity. As part of my work > I am on the Australian Cyber Security Industry Advisory Committee as > an industry representative. > I am keen to look at opening up a dialogue with more and more telco, > DC and Cloud CISO’s on what they are doing around this issue and > looking to take a proactive step towards best practice on customer > data and system security. > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed > to help each other continually increase in security posture through > best practice, but also working with each other as an industry. > Are people keen on having a online/VC session sometime in the next > few weeks where like-minded industry participants get together and > discuss security, retention, encryption, threat detection etc.? If > so, just ping me directly and if there is enough interest I will > send out an invitation to the list for a call. > Cheers > [b] > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > [email protected] - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog >
_______________________________________________ AusNOG mailing list [email protected] https://lists.ausnog.net/mailman/listinfo/ausnog
