DATA RETENTION ACT 2015:
What Australian MSPs and Telcos need to know about the Data Retention Act
Any company in Australia who sells voice or data products needs to be compliant with the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. Many companies are not yet compliant with the act. This is despite the fact that it has been enforceable since April 13th 2017!
Fines for non-compliance range from $50,000 to $10 million – it is only a matter of time before companies like yours start getting audited.
Emersion has built a number of modules to assist clients to meet their obligations under the act including storing encrypted usage information for a period of two years and making it easy to retrieve the data held on individual customers. Existing customers of Emersion can meet their requirements under the act by turning on our data retention module(s).
Talk to us today about what your business needs to do to avoid fines and potential legal action from the government.
The deadline for providers to be compliant with the Australian Government’s Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 is April 13th 2017.
Those providers who do not comply could be liable to Pecuniary Penalties (see excert below):
Telecommunications Act 1997, Part 31—Civil penalties
570 Pecuniary penalties for contravention of civil penalty provisions
(3) The pecuniary penalty payable under subsection (1) by a body corporate is not to exceed:
(a) in the case of a contravention of subsection 68(1) or (2) or 101(1) or (2)—$10 million for each contravention; or
(b) in any other case—$250,000 for each contravention.
(4) The pecuniary penalty payable under subsection (1) by a person other than a body corporate is not to exceed $50,000 for each contravention.
In Australia any company who sells voice (e.g. VoIP, landlines, mobile phone plans) or data (e.g. internet) needs to be compliant with the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015.
This means that you need to retain the following information in an encrypted format for a period of at least two years:
- Incoming and outgoing telephone caller identification
- Date, time and duration of a phone call
- Location of the device from which phone call was made
- Unique identification number assigned to a particular mobile phone of the phones involved in each particular phone call
- The email address from which an email is sent
- The time, date and recipients of emails
- The size of any attachment sent with emails and their file formats
- Account details held by the internet service provider (ISP) such as whether or not the account is active or suspended
(Source: Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 Section187AA)
Businesses have just 72 hours to provide this information when they recieve a request under the act. This means providing a filtered export file with containing only the data that has been requested.
In addition to this you will need to store information about the request including:
- Who has requested access to the information
- What information they requested
- Who within your team has requested access to the data
Even if you are storing the all of the required data, exporting the information within the 72 hour timeframe will be a nightmare for most companies.
Is your company on top of your data retention obligations? If not Emersion has built a Data Retention Module to help your company be compliant with the act.
Emersion’s Data Retention Module
Emersion has invested significantly into our platform to provide a way for MSPs and Telcos to be compliant with the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015.
We do this through:
- Storing managed familiar data that Emersion holds in it’s core system for two years (Such as account details, billing details, transaction and payment details, usage, payment methods etc)
- Optionally storing managed unfamiliar data (data not usually held in Emersions core systems such as email logs, RAIDUS and Netflow information). This requires additional set up and in many cases the obligation to store this data can be passed through to the wholesaler
- Encryption of data
- Built in reports and user interface for data retrieval, as well as the option of connection via API
- Storing the details of the request such as when it was made, who requested access, what data was requested and who internally provided access to the data.