Keeping correct records | ACMA

Keeping correct records

1101 jpg

CSPs must keep a record of each prepaid mobile service they supply, for as long as the service is activated. 

When identity is verified at the time of activation

Under Part 5 of the Determination, the record must include:

  • information obtained about the service activator (Part 3 of Schedule 1
  • CSP name
  • the number issued for the service
  • that the CSP complied with Part 5 of the Determination in relation to the service
  • the method of identity verification—for example, existing post-paid account
  • a description of the type of evidence obtained—for example, drivers licence
  • verification transaction details for the method of identity—for example, existing post-paid account number or telephone number.

If identity is verified with a bank transfer, the CSP must also record:

  • the date it made the nominal transaction
  • the date it confirmed the account as active.

Schedule 4 of the Determination explains each approved method of identity verification in detail.

When identity is verified at the time of sale

In addition to the information to be obtained from the purchaser under section 4.3 of the Determination, the CSP must also record the following information if the purchaser’s identity was verified at the time of sale:

  • CSP name
  • the number issued for the service
  • that the CSP complied with Part 4 of the Determination at the time of sale
  • if applicable, the type of document or documents sighted
  • if purchased using a credit or debit card, either the:
    • transaction code
    • name on the card
    • last four digits of the card.

CSPs must also keep a written description of the arrangements they have in place to comply with the Determination. Refer to section 7.2 for further information.

Restrictions on recording and copying certain information

CSPs cannot record or copy the identifying number of a government document or credit/debit card number used in the verification process. However, if a purchaser or service activator consents, a CSP can record a credit/debit card number for the purpose of enabling payments for the future supply of the service (such as for recharge purposes).

CSPs must immediately destroy the identifying number of a government document once they have verified identity. 

In addition to these rules, Part 13 of the Telecommunications Act 1997 protects the confidentiality of information held by CSPs. The disclosure or use of such information is prohibited except in limited circumstances, such as the enforcement of the criminal law or providing emergency warnings.

The customer information a CSP collects can only be disclosed to agencies through a lawful request including under the Telecommunications Act and Telecommunications (Interception and Access) Act 1979, which provide mechanisms for the lawful disclosure of information to law enforcement agencies.

CSPs may also have to adhere to the Australian Privacy Principles contained in the Privacy Act 1988, which regulate how organisations handle individuals’ personal information. The Office of the Australian Information Commissioner is responsible for the Privacy Act.

Last updated: 05 March 2014