DSP Best Practice

DSPANZ considers the following as data retention and minimisation best practice for DSPs:

This best practice guidance is based on the understanding that record-keeping is ultimately the taxpayer's responsibility. Taxpayers are responsible for ensuring they understand their record-keeping obligations, retaining records for their required periods and substantiating them when asked. DSPs must comply with the ATO's Operational Security Framework and other security or privacy obligations outside of this best practice guidance. 

How DSPs implement or reflect this best practice guidance  may depend on their product architecture and the business interactions they facilitate. DSP's terms of service or contracts should ideally follow this best practice guidance.

DSPs should allow customers to access and retrieve their data before it is deleted to ensure they can continue to comply with their record-keeping obligations. DSPs can choose how they provide data to their customers, but at a minimum, data should be human-readable without specialist software. Options to make customer data available include providing read-only access to the software or the ability to download PDF or CSV copies of their data. See examples of records and their suggested formats below. 

DSPs should advise customers how long they can access their data before it is deleted, which may include providing customers with the number of days they have to access their data. The timeframe that customers have to access their data may not align with the timeframe that DSPs should delete data within. 

Before deleting any data, DSPs may wish to provide information to their customers on their record-keeping obligations and the handling of sensitive or personally identifiable information. 

Please note: this guidance considers data portability between software products developed by different DSPs to be out of scope. 

DSPs should take reasonable steps to contact a customer before deleting their data. While the nature of this contact may differ between DSPs, at a high level, it should include the following information:

• What data will be deleted 
• When the data will be deleted
• How to access the data before it is deleted. 

DSPs should communicate this to their customers as soon as their commercial relationship ceases or when the data is flagged for deletion. DSPs may consider further communications as required. Note that there may be circumstances where the customer's contact details are no longer valid. 

DSPs should certify the permanent and full deletion of all data, whether at the customer's request or at the agreed time, to mitigate any perceived or real risk for the DSP. DSPs should retain a register of certifications and customer acknowledgment for a minimum of 10 years. 

DSPs should make information about how they retain and delete customer data readily available to their customers, for example, in their terms of service or contracts. This information should include:

• How long they retain data
• How they delete data
• How customers can access or export their data before deletion. 

DSPs should consider the following points on data retention and deletion in their policies, terms of service or contracts:

• Indicate all roles and responsibilities of both the customer and DSP, including decision making capability, actions and approvals. This should include responsibility for monitoring legislative changes that would impact the retention of the data held by the DSP and the application of any changes to historical data. 
• Mechanisms for the customer to audit (or have an audit performed) on the reliability and integrity of the data to ensure their data remains viable and readable for the entire retention time. 
• How the DSP manages data during a merger or acquisition?
• Conditions under which the DSP would agree with a customer request to retain data longer than the legislated retention period and how often the DSP would seek disposal authorisation from the customer. 
• How data will be disposed of to ensure the permanent erasure of data held by the DSP and the assurance provided to the customer (in the form of a disposal certificate or similar mechanism) certifying that the data is no longer recoverable. 
• The treatment of backups (data copies), which should be retained for shorter periods but also need to be managed and disposed of appropriately. 
• Specify the formats in which data is provided after the end of the commercial relationship to ensure that accessibility is maintained even without the appropriate software. 

If a customer has ended their commercial relationship with a DSP, the DSP should keep the customer data for at least 12 months before it is deleted. 

This 12 month retention period follows the ATO's DSP Operational Security Framework where access logs must be retained for 12 months. DSPs should retain customer data for as long as they retain user access log information. 

DSPs may be required to delete data sooner than the stated 12 month time period as required under different privacy or security obligations. 

Following the above guidance, DSPs should ensure they take reasonable steps to contact customers and confirm the end of the commercial relationship before deleting their data. 

Customer data is primarily the data or artefacts that ultimately form tax, employee obligation, invoicing, superannuation or business registry records. DSPs may or may not delete other customer data, such as contract information, depending on their approach to data deletion. Where DSPs retain data for analytical purposes, this data should be anonymised, and in line with the Privacy Act, any personal information should be de-identified. 

This best practice guidance broadly applies to production data, with the deletion of backups considered out of scope for this document.

DSPs will retain data for paying customers to support them in meeting their record-keeping requirements in line with their terms and conditions. 

If DSPs would like to implement processes for minimising historical customer data, they may look to delete data 12 months after it reaches its minimum retention period. However, DSPs should consider that record retention periods may vary and that customers may have templates or records they do not want to be deleted. 

It is important to recognise that while minimum retention periods exist, taxpayers may choose to retain data longer to meet cultural, community, historical or other business needs. More extended retention periods can often be permitted through an agreement between customers and DSPs. 

Data deletion may impact aggregated data sets and will likely be a catalyst for longer retention. For DSPs to retain as little data as possible, the responsibility for maintaining aggregated datasets may lie solely with the data owner (the customers) rather than the DSPs. However, the customer needs to fully understand the implications of this scenario and the impacts on reporting from existing systems. 

Before deleting any customer data, DSPs should take reasonable steps to contact their customers. 

This work is licensed under Attribution 4.0 International.