Why we retain customer ID data, and our view on where to from here
With a growing number of cyber attacks and data breaches hitting the media, some of our customers are asking us what ID documents we keep, for how long, and for what reason. These are all fair questions and you’re right to be asking them.
We’re all familiar with the 100 point ID Check which is used widely across Australia to make sure people are who they say they are. Like a lot of organisations, Telstra uses the 100 point ID Check when customers connect a service with us.
In short, to set up a new account with us, we’re required to verify your identity by checking and confirming at least one form of primary ID plus one or two forms of secondary ID, or two primary IDs.
In recent years, we have become comfortable as a community in handing over this information without giving much thought to what happens to it afterwards. But the growing number of fraud and identity theft cases across Australia are a stark reminder of what this information can be used for if it gets into the wrong hands.
Why we are required to retain customer ID data
At the moment a range of laws and codes are geared towards us retaining our customers’ ID data, and as a result our systems are set up to do so.
For example, to help law enforcement agencies combat fraud and other criminal activity, telecommunications service providers are required to retain data used for identification purposes while an account is active, and for two years after it is closed. Importantly, the retained data must be encrypted and protected from unauthorised interference and access. This is the law and we comply with it as a necessary part of doing business.
We support a review of legislation that puts customers first
The Federal Government has indicated it is looking at changes in this space and we’re supportive of a review. We understand there’s a fine balance between retaining data to help combat crime and protecting our customers’ privacy.
The requirements to retain this data made sense at the time they were created, and have helped combat fraud and help other law enforcement activities. With more recent advances in multi-factor authentication for ID purposes, and initiatives like the Trusted Digital Identity Framework on the horizon, we absolutely agree it’s time these rules were looked at.
We want to make our principles on retaining customer ID data clear: once we know who you are, and we have an ongoing way of verifying who are you are (eg through biometrics like face ID or fingerprints that you control), there should be very few reasons to retain your ID data. We will be guided by the outcomes of the Government’s reforms and developments under the Trusted Identity Framework, but that is our starting point.
We look forward to working with the Government and regulators on getting clear and consistent rules in place that function in the interests of our customers.