It is arguable that the telco does not need to store anything at all. They can verify your identity but not store anything. (The problem there is that the government wouldn’t trust that the telco has verified your identity.)
Alternatively, they could pass the information directly to the government for verification and, if the government chooses to, storing - the government would respond with an unforgeable token that the telco would store so that the government cannot repudiate later on that they provided confirmation to the validity of the identification. While that is a highly offensive option from a privacy point of view, given the obscene level of surveillance that already occurs in the telco and finance sectors, it should be an option that is on the table for discussion.
I remain to be convinced that a telco has to know whether you are legally permitted to drive.
So we should also be looking at better alternatives than the drivers licence as identification. (If a person has neither drivers licence nor passport, what does the telco do? Maybe next time I am becoming a telco customer I will lie and say that I have neither and see what happens.) The point is that a single identifier that is widely abused becomes a greater risk.
Depending on exactly what was the purpose of involving the drivers licence in setting up a telecommunications service, it may be an option to store the drivers licence (salted and) hashed rather than encrypted or in plaintext. (That applies as a possibility whether it is the telco storing it or the Federal government storing it.)
This data leak was foreseeable and was foreseen. The government was told that this would happen. It could easily be that the consequences of this data leak are worse than the problem that the government was attempting to solve.
At the very least the government might relent on the length of the retention period after a customer has ceased to be a customer e.g. 6 months rather than 2 years (and then legislate that the retention period is both a minimum and a maximum). That is just harm minimisation for former customers.
Other countries manage to avoid collecting drivers licence etc. when creating a new telecommunications account.
The bottom line is that a sensible government would be revisiting their own decisions rather than just trying to ensure that the government avoids all blame.
A misunderstanding I think. I didn’t mean a cop out by you. I meant a cop out by the government. This comment was mostly motivated by the link that was in the post two above my previous post where the government is going on the attack (attack is the best form of defence?) because it is obvious that thinking Australians will start to question the government’s own policy decisions and role in this debacle.