Data deletion policies – do you have one?

As we reach the end of Privacy Awareness Week (PAW) 2020 we also move to the end of the Ctrl+Alt+Delete function, to the delete phase for rebooting privacy.

Under Australian Privacy Principle 11 (APP 11) organisations are required to take reasonable steps to destroy or de-identify personal information when it is no longer required for the purpose for which it was collected.

Many organisations have document retention policies which deal with the destruction of documents and the data contained in them within certain timeframes. However, it is often the case that personal information which is stored in systems (rather than in specific documents) may be retained for a significant period of time, and a risk to the organisation if that information is subject to unauthorised access and or misuse.

This was certainly an issue in some of the major data breaches we have seen in the last few years, including the breach of Australian National University where student and staff information going back 19 years was able to be accessed in a breach. Click here to read the report.

What is required for destruction?

The Office of the Australian Information Commissioner (OAIC) provides guidance to organisations as to what will satisfy APP 11 in terms of destruction or de-identification in its guide to securing personal information available here. Some of this overlaps with document destruction or retention procedures, particularly where documents and information are held in hard copy.

For hard copy destruction, which is often outsourced, organisations need to clarify what happens when documents leave their possession for destruction. For example, will they will be destroyed in an appropriate manner such as through pulping, pulverising, disintegrating or shredding?

Many breaches occur every year where complete files are found to have been placed into dumpsters or other storage which has been subject to unauthorised access. Where information is contained on hardware or in electronic form, the same rules apply – is it removed in a way that the personal information is irretrievable from that hardware?

If information is not in a position to be irretrievably destroyed, then reasonable steps will be putting the personal information "beyond use". While this approach is regarded as being applicable only within very limited circumstances, it meets the requirements if there are appropriate technical, physical and organisational security boundaries around the information which prevent access or use.

Is de-identifying information enough?

This is often seen as a simple way of dealing with information while also allowing entities to retain some elements of the information for business use. However, de-identification is only successful if information cannot be subsequently re-identified and there are significant standards around what meets the test of de-identification. For example, the OAIC together with CSIRO's Data61 have published a De-identification Decision-Making Framework which provides practical guidance on de-identification.

Other useful resources are listed in the OAIC's guide to securing personal information.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.