The Data Minimisation and Retention Focus Group was created as an outcome from the ATO's DSP Strategic Working Group and tasked with drafting an industry best practice guide that summarised the group's key themes and outcomes.
The focus group met throughout 2023 and included representatives from DSPs, the Australian Taxation Office (ATO) and accounting bodies. Throughout the course of the focus group, members also take part in an out of session exercise on what data artefacts best represent different records.
The outcomes from each focus group meeting can be accessed below.
Meeting 1
The focus group began with an introduction of the topic and the key drivers for DSPs to look at data minimisation and retention, including:
- Cyber incidents
- Costs of data storage
- Digital transformation
- Varying customer expectations
- Changes to tax reporting requirements and employer obligations
Meeting 2
The ATO gave a presentation on the current taxpayer minimum data retention requirements and the specific DSP and tax practitioner obligations. The group recognised that taxpayers are ultimately responsible for record-keeping but that DSPs play a role in assisting taxpayers with meeting these obligations.
The group discussed potential challenges around deleting data and the different datasets that form certain records. It was suggested that
DSPs should have information readily available to their customers on their data retention and deletion practices and that customers should
be able to access their data before it is deleted.
Meeting 3
The focus group reviewed and discussed the results from the data classification survey which pointed to human-readable formats as the best representation of tax, invoicing, employee obligation, superannuation and business registry records. The group discussed the importance of customers being able to obtain their data in a human-readable format. The group agreed that data portability between DSPs was out of scope for the guidance.
The group covered current data retention practices and recognised that DSPs, outside the Operational Security Framework audit logging requirement, do not have record-keeping obligations but will retain data in line with their customer's requirements. Members shared their experiences with deleting and restoring data. The group considered what would trigger the end of a commercial relationship with a customer and therefore where DSPs could delete data.
The group recognised that changes to DSP data retention practices would impact tax practitioners and taxpayers and that education will
be required.
Meeting 4
The focus group reviewed the first draft of the industry best practice document. Feedback from the group included:
- Detailing how DSPs retain the data of paying customers
- Providing information on reasonable steps to contact customers before deleting data
- Educating customers about their record-keeping obligations and the role that software plays
The group broadly agreed that the document should not contain specific technical or legislative information but it could provide
example or resources for DSPs. The group discussed appropriate minimums and maximums for deleting data reflecting on recent examples.
Meeting 5
The group reviewed the high level feedback on version 0.1 of the draft outcomes document before reviewing version 0.2. It was noted that the 12 month timeframe for retaining inactive, non-paying customers was chosen as it matches the Operational Security Framework's audit logging requirement. Information on data retention for trial software was added to the document.
The group discussed next steps and publishing the draft document for public comment.