After 18 months of deliberation the Australian Internet Industry Association (IIA) has released a draft code of conduct for Internet service providers (ISPs) assisting law enforcement in the investigation of cybercrime.
The IIA is seeking public submissions before August 21 on the code which aims to establish clear policies and procedures for law enforcement investigations and recommends ISPs retain personal information for up to 12 months including customer details, user names, phone numbers and account details such as home addresses.
IP allocation records, dates and times of log-ins and total data transferred will also need to be retained; however, privacy concerns has been a stumbling block in the development of the code as ISPs with revenues under $3 million a year are not covered by the Privacy Act.
The issue was raised by the Federal Privacy Commissioner Malcolm Crompton during consultations with the IIA as part of the code's development, according to the commissioner's spokeswoman.
As a result the IIA has advised smaller ISPs that to be party to the code, regardless of size, they must abide by the National Privacy Principles (NPP) when collecting and retaining information.
IIA chief executive Peter Coroneos said the code addresses the frustrations of law enforcement agencies who find that by the time they approach ISPs for information about suspects the data has been overwritten or discarded.
"In framing the code we have been at pains to strike what we are convinced is a reasonable balance. Where ISPs already collect customer information in the course of their business operations this code stipulates minimum retention periods for that data," he said.
The code does not require ISPs to capture caller line identification or caller name display data.