Jessica Lobow and Martin Slattery recently co-presented at
the Carroll and O'Dea Charity Law Legal Seminar on questions of
Privacy Policies and document retention, from a preventative and
operative perspective. Below are some highlights from Jessica's
paper, which was directed at preventative measures.
is often a stock standard policy that was acquired at the time they
developed their website. However, it may not satisfy current
An issue of concern is the conflict between the obligation to
permanently de-identify and destroy information, and the obligation
to maintain records where they may be necessary as evidence in
In March 2014 there were significant changes to federal privacy
laws. These changes impacted most entities 1 which
handle personal information about individuals, including most
Australian companies, charities and some government agencies.
Charities and Not- for- profit organisations, unless exempted, need
to comply with the Australian Privacy Principles (APPs).
The changes of 2014, empowered the Privacy Commissioner to take
enforcement steps in relation to breaches of Privacy Act 1988
(Cth) and imposed civil penalties which could be up to $1.1m
for corporate entities and $220,000 for individuals. They also
include penalty of imprisonment, and there are penalties for any
persons, who aid, abet or knowingly assist in breaches of the
Privacy Act 1988 (Cth).
In respect to retention or destruction of information, APP 11
An APP entity that holds personal information must take
reasonable steps to protect the information from misuse,
interference and loss, as well as unauthorised access, modification
An APP entity must take reasonable steps to destroy or
de-identify this personal information it holds once the personal
information is no longer needed for any purpose
for which the personal information may be used or disclosed under
the APPs.This requirement does not apply where the personal
information is contained in a Commonwealth record or where the
entity is required by law or a court/tribunal order to retain the
There is no clear guidance as to what's
"needed" means, making it very
difficult for charities and not for profit organisations to
determine how long personal information should be retained.
In contrast, some legislative guidance can be found in respect
to document retention, such as under the Australian Charities
and Not- for- profits Commission Act 2012, (Cth).
Organisations in the charity sector are required to retain
financial and operational records for a minimum of 7 years. The
potential conflict with APP 11 is obvious.
In addition to the requirement to de-identify personal
information that is no longer required, (there is an exception if
reputation will be damaged for the deliberate destruction of
documents), a person can be found criminally liable for destruction
or de identifying under section 317 of the Crimes Act NSW 1900
(Cth) (and corresponding states legislation) as it is an
offence to intentionally destroy documents that a person knows are,
or may be, required as evidence in a judicial proceeding, if done
in order to prevent the documents being used in such proceeding.
The person charged under this section may be liable to imprisonment
for 10 years.
organisations and charities should allocate all obligations with
respect to the Privacy Act 1988 (Cth) and document
retenion to a specially nominated committee, which meets regularly,
and reports regularly to the organisations board and executive.The
committee should be briefed to put in place policies, and
procedures to deal with securing the storage of documents and
ensuring the integrity and authenticity of records and the training
up to date with the new laws.
1Turnover above $3m or entities electing to
adopt the federal privacy principles
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Privacy issues require a considered strategy where sets of big data come with ever-increasing regulatory obligations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).