"The legislative provisions which allow for certain exemptions to be granted were an important factor in Optus achieving compliance in an efficient and timely manner," Optus said in a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the mandatory data retention regime.
"Because part of its overall data retention architecture involved storing some data in legacy systems, Optus applied for and received limited exemption from the encryption obligation."
The telco said there had been no reported "security incident or breaches" related to the retained data.
According to the metadata legislation, section 187BA states a service provider must encrypt the information stored.
Under Australia's data retention obligations, telcos must store customer call records, location information, IP addresses, billing information, and other data for two years, and make it accessible without a warrant by law-enforcement agencies.
Optus said to improve the "quality of service" it offers to agencies seeking what Optus confesses on its site is personal information, the company automated its response for certain data that is subjected to frequent requests.
"This system provides 24x7 automated and timely responses to authorised requests received in a pre-defined format," it said.
In earlier submissions, a number of Australia's enforcement agencies had pushed for a standardised format and costs for data retrieved from telcos.
Optus said cost differentiation should be expected however, since carriers operate with different underlying cost drivers and systems.
"There will be a mix of automated and human intervention applied depending on the data and request type," it said.
"In the context of a [carriage service provider] ceasing to trade this can be challenge as its business and IT systems are typically retired, its staff move on, and special arrangements are needed to maintain continuity of access to data and expertise to interpret it," it said.
Overall, Optus said it did not want changes to the retained metadata data set, but did question whether the government wanted the large amount of data expected to be generated by machine-to-machine communications and Internet of Things devices stored.
"Optus recommends that the PJCIS commission a report from Departmental officials on whether data retention obligations should be modified as they apply to low latency 5G machine to machine services and applications, and the emerging range of IoT use cases and devices," the company said.
"It may be appropriate, for example, for across the board rulings or exemptions to be made for these classes of services and it should not be left to individual providers to seek such exemptions."
A spokesperson for Optus told ZDNet the exemptions for its legacy systems were "very limited in scope and conditional on other significant compensating controls being in place to protect the security of the data".
"These controls have been independently assessed by the Office of the Australian Information Commissioner and found to be satisfactory," the spokesperson said. "The Office of the Australian Information Commissioner has a role under the legislation to review the security of personal information kept for data retention."
Updated at 10:07am AEST, 17 July 2019: Optus comments added.