After the data breach was disclosed, Optus CEO, Kelly Bayer Rosmarin, said the company was legally required to keep customer data from at least 2017.  

In response to repeated media requests for additional information, the company said it was mindful of and complies with its obligations in line with the Telecommunications, Privacy and Corporations Acts. 

Telecommunication regulation and privacy experts have tried to get to the bottom of how long data must legally be kept.  

However, there are data retention obligations telcos must adhere to.

When a customer buys a prepaid mobile service, companies must check the ID and verify that person is who they say they are.  

That's to prevent prepaid mobile phones being used for criminal purposes, and enable law enforcement agencies to identify the owners of phones.  

That identity check can use a range of documents including driver licenses, passports and Medicare cards.  

Then under the Telecommunication Interception and Access Act, part of Australia's metadata laws, the company is also required to retain subscriber information for a minimum period of the life of the account plus two years after closure.  

That includes name and address information, as well as any other information for identification purposes and documents related to that subscriber.  

These provisions could be interpreted as requiring companies to keep a record of the documents they used to verify the subscriber's identity, like a passport number.  

A spokesperson said the Optus data breach was "an evolving situation".  

"The Australian Communications and Media Authority (ACMA) requires further information from Optus to determine whether this data breach raises questions about compliance with telco-specific obligations," he said in a statement.  

"The ACMA will make public its determinations once made." 

While companies are required to keep some amount of data by law, they must also keep it safe. 

Rob Nicholls, an associate professor of regulation and governance at UNSW Business School, said that under metadata retention rules, companies must keep what they're storing protected and encrypted.  

But there does tend "to be a conservative approach to deletion of data" in some companies, Dr Nicholls said.  

"Unless a good document retention program exists, there is a risk of keeping documents unnecessarily." 

Companies must take reasonable steps to destroy or de-identify personal information. They must do this once personal data is no longer needed or there is no legal obligation to hold it.  

But whether the privacy regulator enforces this obligation is another question.

The privacy regulator, the Office of the Australian Information Commissioner, has stated that its focus remained on supporting affected customers. 

Following the Optus data breach, the federal government has been vocal about the lack of stiff penalties for companies found mishandling sensitive information about Australians.  

Attorney-General, Mark Dreyfus, said there didn't seem to be a valid reason for companies performing ID checks to hold onto that information long-term.  

"The more data that is kept, the bigger the problem there is about keeping it safe," he said.

For further reading: ABC