The Data Minimisation & Retention: Best Practice Guidance for Australian Digital Service Providers aims to assist Digital Service Providers (DSPs) with adapting their data retention and minimisation practices to better reflect the current technical and cybersecurity environment.
DSPANZ considers the following as data retention and minimisation best practice for DSPs:
- Customers SHOULD be able to access and retrieve their data before deletion
- DSPs SHOULD take reasonable steps to contact customers before deleting data
- DSPs SHOULD have documented customer data retention and deletion policies or processes
- DSPs SHOULD keep inactive, non-paying customer data for at least 12 months
- DSPs MAY delete historical data 12 months after minimum retention periods.
Alongside the above best practice, the guidance document also outlines record-keeping requirements for taxpayers, tax practitioners and DSPs and provides additional information for DSPs to consider when following the guidance.
This guidance was produced by DSPANZ and informed by the Data
Minimisation and Retention Focus Group and an open consultation period. The guide was first published
on 24 April 2024 and is current as of 24 April 2024. This
work is licensed under Attribution 4.0 International.