• Property & conveyancing
  • Business legal services
  • Building & construction
  • Legal Counsel Packages
  • Wills and estates

Stay in touch with how the law affects you! Subscribe to our

Subscribe to Forum Law News

* indicates required

What data retention laws mean for your business

Privacy Law News | February 2016

With the implementation of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) [“the Act”] in Australia, telecommunications and internet service providers [“Service Providers”] must be aware of their obligations in respect of retaining their customers’ data.

The new obligations under the Act require Service Providers to retain their customers’ metadata for a minimum of 2 years. The Privacy Act 1988 (Cth) [“the Privacy Act”] defines metadata as protected personal information and relates to the following information which must be retained:

  • Customer’s account and service information;
  • Source and destination of communications;
  • Date, time and duration of communications;
  • Type of communication or of relevant service used in connection with a communication;
  • Location of equipment, or a line, used in connection with a communication.

Service Providers

The Privacy Act also imposed the following obligations upon Service Providers:

  • Developing a privacy policy which sets out information about the way in which data is handled;
  • Providing privacy notifications to individuals at or around the time that data is collected;
  • Subject to certain expectations, providing individuals with access to the data held about them.

The Federal Government has indicated that it will contribute around $131 million to assist service providers with the implementation costs involved to ensure compliance with the Act. The Act allows for grants of this type to be awarded to Service Providers where it is deemed to be necessary.

Compliance has a deadline

The substantive provisions of the Act came into effect on 13 October 2015 and the deadline for Service Providers to comply with the mandated requirements of the Act is 13 April 2017 [“the Deadline”]. Strict and expensive penalties may apply to Service Providers that fail to comply by the Deadline.

Failure to comply with the retention obligations under the Act may result in service providers facing infringement notices and penalties of up to $10,800 per contravention and up to $10 million if the Federal Court views that the Service Provider has breached their licence conditions.

Preparing your data retention plan

Important matters to consider when preparing data retention plans include:

  • Current practices for keeping, and ensuring the confidentiality of, information and documents which are required to be kept;
  • Interim arrangements which service providers propose to be implemented whilst the plan is in force, for keeping, and ensuring the security of, such information and documents;
  • The deadline for the service provider’s compliance with the mandated requirements. This deadline must be no later than 13 April 2017 in the event that the service provider was operating the service at the commencement of the Act;
  • Any relevant services of the service provider that the plan does not cover; and
  • The identity of the Service Provider’s officers and employees who should be contacted in relation to the data retention plan.
Forum Law has been closely tracking the growing significance of this area of law in the digital age. You are very welcome to give us a call for an obligation-free chat for up to 30 minutes or make a time to visit us in Leichhardt on (02) 9560 3388.

Forum Law is an active member of several reputable law and industry associations. We have recently obtained ISO9001 accreditation.