Data retention

The Telecommunications (Interception and Access) Act 1979 requires telecommunications companies to retain a particular set of telecommunications data for at least two years.

These obligations ensure Australia’s law enforcement and security agencies are lawfully able to access data, subject to strict controls. Access to data is central to almost all serious criminal and national security investigations.

A copy of the data set required to be retained and secured is available to download below:

The data retention scheme will be reviewed by the Parliamentary Joint Committee on Intelligence and Security, commencing in 2019.

Office of Communications Access and Cybercrime

The Office of Communications Access and Cybercrime (OCAC) is the central liaison point between the telecommunications industry and law enforcement and security agencies regarding the obligations in the Telecommunications (Interception and Access) Act 1979, including data retention.

A primary role of the OCAC is to help members of the telecommunications industry to understand and comply with their obligations under the Act.

The OCAC can be contacted by phone on 02 6141 2884 or email at

Data Retention Industry Grants Programme

The Data Retention Industry Grants Programme assists eligible telecommunications service providers to meet their data retention obligations.

The programme consists of a single funding round which provides grants to carriers, carriage service providers and internet service providers. More information is available on the Data Retention Industry Grants Programme page.

Service provider obligations

Telecommunications service providers that use infrastructure in Australia to operate any of their services may be subject to data retention obligations. Service providers include: licenced carriers, carriage service providers and internet service providers. Some services are excluded from the data retention obligations.

The data retention obligations require some telecommunications service providers to retain specific telecommunications data (the data set) relating to the services they offer for at least two years. The retained data must be encrypted and protected from unauthorised interference  and access. Some subscriber information (a category of data in the data set) must be retained for the life of the account and for a further two years after the account is closed.

Depending on the type of service offered, service providers may not be required to retain all categories of data in the data set. The department has developed the following guidance materials to support industry in understanding its data retention obligations (these documents may be subject to further updates):

Implementation period

The data retention implementation period ends on 13 April 2017. After this date, a service provider is expected to be fully compliant with the data retention obligations, unless the service provider is operating under an approved exemption. More information is available in the following fact sheet:

Exemptions and variations

Service providers may apply to the Office of Communications Access and Cybercrime for exemptions from and/or variations to their data retention obligations. Exemptions and/or variations will be considered on a case-by-case basis and are confidential in nature.

You should contact the OCAC by phone on 02 6141 2884 or email at to discuss further.

About data retention

In the context of the data retention obligations, data is information about a communication rather than the content or substance of a communication:

  • For phone calls, data includes the phone numbers of the people talking to each other and how long they talked for—not what they said.
  • For emails, data is information such as the relevant email addresses and when it was sent—not the subject line of the email or its content.

The Telecommunications (Interception and Access) Act 1979 does not require companies to retain data that may amount to a person’s web-browsing history.

Data is used in almost every serious criminal or national security investigation, including murder, counter-terrorism, counter-espionage, sexual assault and kidnapping cases. Agencies use data to:

  • quickly rule innocent people out from suspicion and further investigation
  • identify suspects and networks of criminal associates
  • support applications for warrants to use more complex and intrusive tools, such as interception
  • support prosecutions as evidence.

Access to telecommunications data under the Act is subject to a number of safeguards. In particular:

  • access to data is limited to a defined list of law enforcement and national security agencies
  • agencies that may access data are subject to independent oversight by the Commonwealth Ombudsman, or by the Inspector-General of Intelligence and Security in the case of the Australian Security Intelligence Organisation (ASIO)
  • the Minister for Home Affairs reports to Parliament on the operation of the data retention scheme each year
  • where ASIO or enforcement agencies require access to a journalist’s data for the purpose of identifying a source, those agencies are required to obtain a warrant, and report all such requests to their independent respective oversight body.

Data retained by the telecommunications industry under the Act is personal information for the purposes of the Privacy Act 1988.

The Privacy Commissioner assesses telecommunications companies’ compliance with the Australian Privacy Principles in relation to retained data (and more broadly) and monitors industry’s non-disclosure obligations under the Telecommunications Act 1997.

Contact details

Office of Communications Access and Cybercrime
Phone: 02 6141 2884