Frequently Asked Questions

Have a question about the Data Minimisation and Retention: Best Practice Guidance for Australian Digital Service Providers? Take a look at our frequently asked questions below.

Can't find the answer to your question? Get in touch.

Who does the guidance apply to?

The Data Minimisation and Retention: Best Practice Guidance for Australian Digital Service Providers primarily applies to Australian DSPs and third party providers within their network who offer solutions commonly used in the day to day management of a business - not limited to but including - taxation, accounting, reporting, payroll, superannuation, point of sale or eCommerce and eInvoicing solutions.

While this guidance has been written with DSPs in mind, other software providers and Sending Service Providers (SSPs) may also benefit from the discussion on data minimisation and retention.

We understand that DSPs changing their practices around data minimisation and retention may spark questions from software users. DSPANZ is working with DSPs, government and accounting bodies to navigate these changes and provide specific resources. Keep an eye on our supporting materials page for the latest resources.

How should DSPs deal with inactive customers?

While the best practice guidance considers periods of inactivity to determine the end of the DSP-customer relationship, DSPs may want to consider reasons for inactivity and whether customers or user profiles should remain inactive or be actioned for deletion.

Some customers may only engage with their software once a year, for example in line with the annual tax cycle, and may have extended periods of inactivity. Similarly, some user profiles may be inactive as they engage with the software on an ad-hoc basis.

In most cases, these customers or user profiles should either be designated for deletion, disabled or have their passwords reset to minimise the cybersecurity risk of unauthorised access by third parties in line with the ATO's Operational Security Framework.

Where customers have ended their commercial relationship or a user profile is actioned to be deleted, DSPs should remove all records of the customer or user from the system where practicable.

How can DSPs best support their customers with changes?

DSPs should take customer-centric approaches to any changes they make to their data retention practices.

DSPs can look to support their customers in the following ways:

Remind customers of their record-keeping obligations under current legislation and what records they need to keep
Clearly communicate and educate customers before enacting any changes
Giving customers the ability o flag records or artefacts that should not be deleted
Providing data in a human-readable format or the ability to convert their data into a human-readable format, i.e. the ability to convert data into PDFs or CSVs

DSPs should also consider reflecting the following points on data retention and deletion in relevant policies, terms of service or contracts:

Indicate all roles and responsibilities of both the customer and DSP, including decision making capability, actions and approvals. This should include responsibility for monitoring legislative changes that would impact the retention of the data held by the DSP and the application of any changes to historical data.
Mechanisms for the customer to audit (or have an audit performed) on the reliability and integrity of the data to ensure their data remains viable and readable for the entire retention time.
How the DSP manages data during a merger or acquisition?
Conditions under which the DSP would agree with a customer request to retain data longer than the legislated retention period and how often the DSP would seek disposal authorisation from the customer.
How data will be disposed of to ensure the permanent erasure of data held by the DSP and the assurance provided to the customer (in the form of a disposal certificate or similar mechanism) certifying that the data is no longer recoverable.
The treatment of backups (data copies), which should be retained for shorter periods but also need to be managed and disposed of appropriately.
Specify the formats in which data is provided after the end of the commercial relationship to ensure that accessibility is maintained even without the appropriate software.

What data or records are considered out of scope?

Some employment or corporate compliance records must be kept for longer than the general 7 years. For example, employment records should be kept throughout an employee's tenure with an organisation and for up to 7 years after their termination.

While the best practice guidance provides general information about deleting data and records, it does not recommend deleting historical payroll or corporate compliance records automatically. The guidance document also recognises where various tax records must be kept longer than 5 years and that DSPs should consider how varying record retention lengths may impact their approaches to data retention and deletion.

Is the best practice guide and website content regularly updated?

DSPANZ will make best efforts to ensure the contents of the best practice guide and website content are updated to reflect changes in legislation, record-keeping requirements or industry best practice.

This work is licensed under Attribution 4.0 International.