Quick Guide to Australia’s new Data Retention Laws

Times have changed, and so too have Data Retention Laws in Australia. If you’re a telecommunications provider – a licensed carrier, carriage service provider or internet service provider – it’s really important to know your obligations.

The new laws came into effect on 13 October 2015. You’re now obliged by law to collect and protect specific metadata for a period of two years. All retained data must be stored, encrypted and protected from unauthorised interference or access.

Sounds complex? It doesn’t need to be. Here we make it easy with a quick guide to complying with the new Data Retention Laws.

Why the law changed

Metadata is important information that helps fight criminal activity and protects national security.   In the past, lack of information and data records have prevented criminals from being brought to justice and have hampered investigations. The previous law lagged poorly behind the rapid changes in modern technology, even referencing floppy disks which nobody uses anymore.

The new laws will help authorities to track illegal activity, such as child exploitation and terrorism threats, for which perpetrators often share information online.

Metadata you must collect

The new Data Retention Laws are designed to capture metadata – information that identifies the communication source and destination – not the actual content. For example, metadata about every phone call, text message and email sent by customers will be tracked, but the message content will not be recorded. Metadata to be captured includes:

  1. the source and destination of the communication
  2. date, time and duration of the communication
  3. type of service used (eg phone, sms, laptop)
  4. location of equipment or the device used

Other, more general metadata to be collected includes:

  1. name, address and billing information
  2. telephone number
  3. IP address
  4. email address
  5. download and upload volumes

Who can access the metadata?

Police, major crime and anti-corruption commissions, customs and border protection agencies can access the metadata you collect. These organisations are required to have well developed internal systems for protecting the data and ensuring privacy at all times.

Where to go for help

The Australian Government’s Data Retention Industry Grants Programme provides financial assistance for works undertaken to meet your new Data Retention obligations. The Government has allocated $128.4 million to this programme.

Get in quick, because applications for grants close on 23rd February 2016.

How to simplify data protection

The new laws place two specific obligations on telecommunications providers:

  1. Metadata collection
  2. Metadata protection

For most businesses, the collecting part is easy. Protecting the data from unauthorised access, however, is far more challenging. This is where Stickman Consulting steps in to help.

Stickman has developed a customised methodology and solution to assist companies achieve and maintain the Data Retention guidelines. The methodology consist of four phases:

Phase 1 – Define the scope of the data retention for your organisation

Phase 2 – Plan the implementation and assess the solutions required to achieve the data retention guidelines

Phase 3 – Execute the plan to achieve the data retention guidelines

Phase 4 – Maintenance plan and actions to continuously meet the data retention guidelines.

Stickman’s Data Retention solution helps protect any structured or unstructured data located on servers, laptops and desktops. The solution covered detailed workshops, interviews, awareness and training along with recommendation of technology to support encryption, masking, tokenisation and anonymisation, and offers dynamic, context-aware security levels.  

The solution can address the needs of telecommunications providers, with basic to defence level

  1. access control
  2. multi-factor authentication
  3. logging and auditing
  4. high performance
  5. small to enterprise scalability
  6. transparent implementation
  7. privileged user protection levels
  8. application white and black list control
  9. high availability

If you’d like to know more about data protection and how to meet your data retention obligations, please get in touch today.

Similar posts

 

Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.