Optus says that it would have struggled to comply with its legislative obligations without a decision by the government that exempted it from a requirement to encrypt all metadata collect as part of Australia’s data retention regime.
The Data Retention Act says a telecommunications provider “must protect the confidentiality of information that, or information in a document that, the service provider must keep, or cause to be kept” as part of complying with the regime, by “encrypting the information” and by “ protecting the information from unauthorised interference or unauthorised access”.
However, Optus revealed in a submission to a review of the data retention regime by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) that it had “applied for and received limited exemptions from the encryption obligation”.
The relevant act states that the government’s Communications Access Co-ordinator may exempt a service provider from certain data retention obligations “either generally or in so far as they relate to a specified kind of relevant service”.
Achieving compliance was a “very significant undertaking,” Optus said in its submission.
“The legislative provisions which allow for certain exemptions to be granted were an important factor in Optus achieving compliance in an efficient and timely manner,” the document states.
“Because part of its overall data retention architecture involved storing some data in legacy systems, Optus applied for and received limited exemptions from the encryption obligation. Without these exemption provisions, additional cost and complexity would have resulted, because the encryption obligation was otherwise incompatible with the operation of the exempted legacy applications.”
“Optus takes the security of data very seriously and all customer data is safely secured,” an Optus spokesperson said.
“Whilst Optus received some initial exemptions relating to legacy systems, these were very limited in scope and conditional on other significant compensating controls being in place to protect the security of the data.”
“These controls have been independently assessed by the Office of the Australian Information Commissioner and found to be satisfactory,” the spokesperson added. “The OAIC has a role under the legislation to review the security of personal information kept for data retention.”
Comment has been sought from the government as to whether other telecommunications providers received similar exemptions.
“Optus is not aware of any security events which would warrant revisiting the security obligations imposed on regulated entities,” the telco’s submission stated.
A submission to the PJCIS from the Department of Home Affairs argued that on the whole the obligations imposed by the Data Retention Act had led to telco customers’ information being better protected.
Despite concerns that data retention could create a ‘honey pot’ for hackers, telcos already had in place security measures to protect customer data they already retained for commercial purposes, the department argued.
“Given this, it did not follow that the proposed data retention scheme presented an unmanageable level of risk to customer privacy,” its submission stated. “The evidence to date supports that the existing data security arrangement have been effective.”