[AusNOG] Optus Hack

Narelle Clark narellec at gmail.com
Wed Sep 28 14:55:16 AEST 2022 

Yep

A lot of this is in the industry codes we live with, and yes, there are
differing opinions on what is a reasonable business purpose and for how
long. Other good suggestions have been made, but on the voice print one, I
now answer the phone with a non-descript noise, rather than my name as this
would therefore be snippable and usable!

Ah for the olden days when things were simpler, and the worst you got was a
kid asking if Mr Walls was there...

Narelle

On Wed, 28 Sept 2022 at 12:03, James Murphy <jamesmurphyau at me.com> wrote:

> I'll stop referring to DOB because it seems valid and reasonable that it
> is kept - so I'll just mention the license number / passport number - which
> is what people really have an issue with.
>
> What I read in that law you linked to below (F2017L00399
> - Telecommunications (Service Provider — Identity Checks for Prepaid Mobile
> Carriage Services) Determination 2017) actually says it's against the law
> to "record and keep" either "the identifying number of a government
> document" or "a category A document or category B document."
>
> They are allowed to "record or keep" the identification number for
> "permitted purposes" (verifying someones identity) and "only for such time
> as is reasonably necessary for the permitted purpose"
>
> Does anyone actually know where or how they are required by law to store a
> license number or passport number?? Or does everyone just assume they need
> to do this because others have said so, or they think the company needs to
> keep X years of records for their business (of which those records do
> *currently* include license number, but by law they don't need to include
> a license number - and by some laws, it's even against the law to store the
> license number)
>
>
> *6.4 Restrictions on the recording and keeping of certain information*
>
> (1) Subject to subsections (2) and (3), a carriage service provider must
> not, in connection with a requirement imposed by this Determination, record
> and keep:
>     (a) the identifying number of a government document; or
>     (b) a category A document or category B document.
>     (2) Subsection (1) does not prohibit the recording and keeping of
> information or a document if that recording and keeping is required or
> authorised by or under a law.
>
> (3) Subsection (1) does not prohibit the recording and keeping of the
> identifying number of a government document where:
>     (a) the carriage service provider records the identifying number of a
> government document for a permitted purpose; and
>     (b) the carriage service provider records the information only for
> such time as is reasonably necessary for the permitted purpose; and
>     (c) immediately after the carriage service provider verifies the
> service activator’s identity, the carriage service provider destroys the
> number; and
>     (d) the recording is not otherwise prohibited by law.
>         Example If a customer has unsuccessfully attempted to verify their
> identity online using a government online verification service, a carriage
> service provider may use the identifying number of that customer’s
> government document to assist that customer to verify his or her identity
>
> (4) A carriage service provider must not copy or reproduce any document
> that contains the information which must not be recorded and kept because
> of subsection (1).
>         Note A carriage service provider’s arrangements for recording and
> handling personal information must comply with Commonwealth privacy laws
> where applicable.
>
> (5) In this section:
>     permitted purpose means:
>     (a) the purpose of verifying the identity of a service activator in
> accordance with section 4.5; or
>     (b) any other purpose that is ancillary or incidental to the
> provider’s obligation to verify the identity of a service activator in
> accordance with section 4.5.
>
> *4.5 Verification of the identity of a customer who is a service activator*
>     (1) This section applies to the carriage service provider if the
> customer is a service activator.
>     (2) The carriage service provider must verify the identity of the
> service activator using an approved method of identity verification
> specified in column B of Schedule 1
>
>


-- 


Narelle
narellec at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20220928/dcef7e71/attachment.htm>

More information about the AusNOG mailing list