Throughout April to October 2023, DSPANZ hosted a Data Minimisation and Retention Focus Group to work through what industry best
practice for retaining and deleting customer data should look like for DSPs.
Have your say
The focus group is currently seeking feedback and submissions from interested stakeholders on the draft Data Minimisation and Retention: Best Practice Guidance for Australian Digital Service Providers. Feedback or submissions are requested by 8 November 2023 and can be provided by emailing hello@dspanz.org.
Following the close of public submissions, DSPANZ aims to provide a summary of feedback received and an expected date for publishing the guide.
In a nutshell
The recommendation of the focus group is that:
- DSPs should retain all data whilst customers have an active, paying subscription or license for actively supported software
- DSPs should have documented customer data retention and deletion policies or processes
- Customers should be able to access and export their data before deletion
- DSPs may delete historical data 12 months after maximum retention periods
- DSPs should keep inactive, non-paying customer data for at least 12 months
- DSPs should take reasonable steps to contact customers before deleting data, excluding trial users.
Executive Summary
Digital Service Providers (DSPs) offer software solutions that taxpayers rely upon to manage their business and financial affairs. This
includes meeting their tax, financial and employment reporting and record-keeping obligations. For this reason, DSPs tend to follow
Australian legislation and practice guidance that document record-keeping requirements for taxation, invoicing, employer obligation,
business registry and superannuation records and retain data accordingly.
This document confirms that DSPs do not currently have specific legislative or regulatory obligations to retain customer data under Australian tax or employment law. DSPs retain customer data as a part of their services, as described in their contractual agreements with customers. Future changes to data retention and record-keeping legislation or regulations may better reflect how DSPs support taxpayers in meeting their obligations.
The central role software plays in business processes has has led to government, tax practitioners and taxpayers relying on DSPs to access current and historical records. The digitalisation of business processes has only increased the reliance on software. At the same time, the risks and costs associated with managing cyber protections and data storage are rising, particularly with the shift to cloud storage models.
This document first outlines record-keeping requirements for taxpayers, tax practitioners and DSPs. It then provides guidance for DSPs with respect to best practice on data retention and data minimisation practices that make sense in the current technical and cybersecurity environment. DSPANZ acknowledges the different requirements for different kinds of taxpayer data and the need for associated deletion processes.
Finally, this document provides additional information that DSPs may consider when following this best practice guidance.
At the highest level, the best practice guidance for DSPs are as follows:
- Customers SHOULD be able to access and retrieve their data before deletion.
- DSPs SHOULD take reasonable steps to contact customers before deleting data.
- DSPs SHOULD have documented customer data retention and deletion policies or processes.
- DSPs SHOULD keep inactive, non-paying customer data for at least 12 months.
- DSPs MAY delete historical data 12 months after maximum retention periods.
Alongside publishing this guidance, DSPANZ will be working with other stakeholders to support the business community with any changes to DSP data minimisation and retention practices.