Telstra says it will support a Federal Government review of data retention laws and the storage of that sensitive data in the wake of the recent Optus data breach.
The company would also be in favour of verifying a customer’s data through biometrics like a fingerprint or facial recognition when needed rather than storing data for years.
Telstra CEO Vicky Brady says Telstra uses the 100-point ID Check widely used across the industry (including Optus) which is used to verify customers’ identity with one primary ID plus one or two other secondary IDs or two primary IDs.
“In recent years, we have become comfortable as a community in handing over this information without giving much thought to what happens to it afterwards,” Ms Brady says.
“But the growing number of fraud and identity theft cases across Australia are a stark reminder of what this information can be used for if it gets into the wrong hands.”
There are laws and codes around retaining customer IDs for at least two years.
Telstra says its systems are geared towards that in the event of a request by law enforcement agencies who are investigating fraud and other criminal activity.
But Telstra says the law also requires that the retained data is encrypted and protected from unauthorised access.
In the case of Optus, the hackers were able to not only penetrate their systems but also steal data that appeared to not be encrypted.
But there could be changes coming in how customer data is stored and handled.
“The Federal Government has indicated it is looking at changes in this space and we’re supportive of a review,” Ms Brady said.
“We understand there’s a fine balance between retaining data to help combat crime and protecting our customers’ privacy.
“We want to make our principles on retaining customer ID data clear: once we know who you are, and we have an ongoing way of verifying who are you are (for example, through biometrics like face ID or fingerprints that you control), there should be very few reasons to retain your ID data.
“We will be guided by the outcomes of the Government’s reforms and developments under the Trusted Identity Framework, but that is our starting point.
“We look forward to working with the Government and regulators on getting clear and consistent rules in place that function in the interests of our customers.”