The Times Australia
The Times World News

.

Optus says it needed to keep identity data for six years. But did it really?

  • Written by Brendan Walker-Munro, Senior Research Fellow, The University of Queensland
The Australian government's MyGov website was hacked in 2020.

Among the many questions raised by the Optus data leak – cybersecurity experts are confident it wasn’t a hack, but that may have to be decided by a court – is why the company was storing so much personal information for so long.

Optus had a legitimate need[1] to collect that data – to verify customers were real people and potentially to recover any debts later. This is known as a “know your customer[2]” (or “KYC”) requirement.

But the reason about 4 million former customers[3] along with 5.8 million current customers are now worrying about their driver’s licences, passport numbers and Medicare numbers ending up in the hands of criminals[4] is due to Optus hanging on to it for six years.

Optus has said[5] it is legally required to do so.

It is required by the Telecommunications Consumer Protections Code[6], the industry code of practice overseen by the Australian Communications and Media Authority, to provide customers (or former customers) billing information for “up to six years prior to the date the information is requested”.

But your name, address and account reference number should be all it needs for this, not your passport, driver’s licence or Medicare details. If it needs to confirm your identity it could simply ask for documents again.

The only clear legal requirement for it to keep “information for identification purposes” comes from the Telecommunications (Interception and Access) Act 1979[7], which requires that identification information and metadata be kept for two years (to assist law enforcement and intelligence agencies).

Read more: What does the Optus data breach mean for you and how can you protect yourself? A step-by-step guide[8]

Is there any limit?

The big problem with Australia’s data retention laws is that there’s really no limit on how long a company can keep personal data.

The federal Privacy Act[9] says only that information must be destroyed “where the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity”.

That’s a loose requirement. A company could theoretically argue it “needs” to keep customer information for anything – such as defending against a civil claim in court, as part of its corporate records, or for marketing. This is especially the case when we have consented to those uses when we sign up for the services, another practice the Privacy Act allows.

This is a serious weakness with our privacy laws. Consumer data is big business. Companies are collecting – and keeping – much more personal information than they need without a truly legitimate commercial or legal purpose.

I call this trend “hyper-collection”. It’s turning companies into goldfields for hackers. Once personal information is stolen there is often little authorities can do[10].

Read more: What do TikTok, Bunnings, eBay and Netflix have in common? They’re all hyper-collectors[11]

It’s time to get serious about data privacy

Australia needs to get more serious about unnecessary data collection and retention. As technology gets more interwoven into our daily lives, protecting personal data presents massive challenges.

The need for vigilance should have been made clear to the federal government in 2020, when its own myGov website was hacked[12].

The usernames and passwords of thousands of accounts were made available for sale on the dark web. Anyone buying those details would have had access to Medicare, Centrelink, National Disability Insurance Scheme and tax office records.

The Australian government's MyGov website was hacked in 2020.
The Australian government’s MyGov website was hacked in 2020. Shutterstock

Privacy laws are too weak both in obligations and penalties. The fines for “serious interference with privacy” are $444,000 for individuals and $2.2 million for companies – hardly enough for a corporation the size of Optus to sit up and take notice. Nor do they offer comfort to those affected.

Legislative action is needed to clarify what information companies can collect, how they can collect it, and what they can do with it.

Read more: The 'Optus hacker' claims they've deleted the data. Here's what experts want you to know[13]

Opportunities for action

There are two obvious opportunities for the federal government to act.

The first is in its response to recommendations arising from the Attorney-General’s Department’s long-running review of the Privacy Act[14] (which has yet to deliver its final report). Ironically Optus made a submission to the review that actually suggested weakening privacy protections[15].

The second is what it does with the National Data Security Action Plan[16] being developed by the Department of Home Affairs.

The intention of this plan appears to be to treat data as a national asset. If so, it should strengthen policy and legislation around security, ensure Australians know their rights and responsibilities, and ensure consistent responses to cybercrime.

We need to scrutinise every company – not just Optus, and not just after the fact – and ask questions about their data collection. Why do they need to know things? What information are they keeping, how long for and why?

Without action, the next breach at this kind is a matter of when, not if.

We asked Optus to clarify the reasons it needs to keep identification data for six years but received no response.

References

  1. ^ legitimate need (www.sbs.com.au)
  2. ^ know your customer (www.austrac.gov.au)
  3. ^ 4 million former customers (www.news.com.au)
  4. ^ the hands of criminals (www.sbs.com.au)
  5. ^ has said (www.theguardian.com)
  6. ^ Telecommunications Consumer Protections Code (www.commsalliance.com.au)
  7. ^ Telecommunications (Interception and Access) Act 1979 (www.oaic.gov.au)
  8. ^ What does the Optus data breach mean for you and how can you protect yourself? A step-by-step guide (theconversation.com)
  9. ^ Privacy Act (www.oaic.gov.au)
  10. ^ little authorities can do (www.afr.com)
  11. ^ What do TikTok, Bunnings, eBay and Netflix have in common? They’re all hyper-collectors (theconversation.com)
  12. ^ myGov website was hacked (www.afr.com)
  13. ^ The 'Optus hacker' claims they've deleted the data. Here's what experts want you to know (theconversation.com)
  14. ^ Privacy Act (www.ag.gov.au)
  15. ^ suggested weakening privacy protections (www.ag.gov.au)
  16. ^ National Data Security Action Plan (www.homeaffairs.gov.au)

Read more https://theconversation.com/optus-says-it-needed-to-keep-identity-data-for-six-years-but-did-it-really-191498

Times Magazine

Building an AI-First Culture in Your Company

AI isn't just something to think about anymore - it's becoming part of how we live and work, whether we like it or not. At the office, it definitely helps us move faster. But here's the thing: just using tools like ChatGPT or plugging AI into your wo...

Data Management Isn't Just About Tech—Here’s Why It’s a Human Problem Too

Photo by Kevin Kuby Manuel O. Diaz Jr.We live in a world drowning in data. Every click, swipe, medical scan, and financial transaction generates information, so much that managing it all has become one of the biggest challenges of our digital age. Bu...

Headless CMS in Digital Twins and 3D Product Experiences

Image by freepik As the metaverse becomes more advanced and accessible, it's clear that multiple sectors will use digital twins and 3D product experiences to visualize, connect, and streamline efforts better. A digital twin is a virtual replica of ...

The Decline of Hyper-Casual: How Mid-Core Mobile Games Took Over in 2025

In recent years, the mobile gaming landscape has undergone a significant transformation, with mid-core mobile games emerging as the dominant force in app stores by 2025. This shift is underpinned by changing user habits and evolving monetization tr...

Understanding ITIL 4 and PRINCE2 Project Management Synergy

Key Highlights ITIL 4 focuses on IT service management, emphasising continual improvement and value creation through modern digital transformation approaches. PRINCE2 project management supports systematic planning and execution of projects wit...

What AI Adoption Means for the Future of Workplace Risk Management

Image by freepik As industrial operations become more complex and fast-paced, the risks faced by workers and employers alike continue to grow. Traditional safety models—reliant on manual oversight, reactive investigations, and standardised checklist...

The Times Features

Is our mental health determined by where we live – or is it the other way round? New research sheds more light

Ever felt like where you live is having an impact on your mental health? Turns out, you’re not imagining things. Our new analysis[1] of eight years of data from the New Zeal...

Going Off the Beaten Path? Here's How to Power Up Without the Grid

There’s something incredibly freeing about heading off the beaten path. No traffic, no crowded campsites, no glowing screens in every direction — just you, the landscape, and the...

West HQ is bringing in a season of culinary celebration this July

Western Sydney’s leading entertainment and lifestyle precinct is bringing the fire this July and not just in the kitchen. From $29 lobster feasts and award-winning Asian banque...

What Endo Took and What It Gave Me

From pain to purpose: how one woman turned endometriosis into a movement After years of misdiagnosis, hormone chaos, and major surgery, Jo Barry was done being dismissed. What beg...

Why Parents Must Break the Silence on Money and Start Teaching Financial Skills at Home

Australia’s financial literacy rates are in decline, and our kids are paying the price. Certified Money Coach and Financial Educator Sandra McGuire, who has over 20 years’ exp...

Australia’s Grill’d Transforms Operations with Qlik

Boosting Burgers and Business Clean, connected data powers real-time insights, smarter staffing, and standout customer experiences Sydney, Australia, 14 July 2025 – Qlik®, a g...