Data retention – the “sleeping giant” of privacy law

Describing data retention as “the sleeping giant of data security” the OPC’s announcement warns that holding onto personal information for longer than is necessary can exacerbate the legal and reputational consequences of a breach. It notes: “All agencies should have a personal information retention policy that they review regularly. The simple discipline of deciding how long information will be retained as you collect it and acting on these decisions will save you and your customers a lot of pain.”

The OPC’s comments are consistent with a trend of businesses developing and updating data retention policies to track the personal information they collect and hold. This update provides an outline of some key recommendations to consider as part of that process.

Data Retention Policies

The Privacy Act 2020 requires that agencies that hold personal information “must not keep that information for longer than is required for the purposes for which the information may lawfully be used” (Information Privacy Principle 9).

To assist with meeting this obligation, businesses should design and implement a clear data retention policy, and review it regularly. This can be a detailed exercise and requires careful planning. We recommend that the following key steps are included in that process:

1. Build an inventory of personal information	A data retention policy should identify and categorise the various items of personal information held by the business. This may require discussions with key internal stakeholders involved in managing personal information (e.g. IT, HR, CRM, or marketing staff) to ensure that the policy comprehensively lists the relevant categories of personal information. It may also require discussions with third parties (e.g. customers) for businesses that hold personal information on a third party’s behalf. Data-flow diagrams are also a useful tool to check that all sources are captured. We recommend in particular involving relevant IT staff at an early stage, to assist with ensuring that personal information is precisely described in terms familiar to the IT team. That can assist in ensuring that the policy can be implemented in practice, by allowing targeted deletion of specific categories of electronic records (which can be difficult if categories of personal information are described generically or in a way which does not align with the underlying systems).
2. Apply suitable retention periods	For each category of personal information identified, the agency should identify a suitable retention period. The Privacy Act does not prescribe specific retention periods, and analysis is required for each category of personal information (based on its sensitivity and the business’s purpose for collecting, holding and using that personal information). The policy should reflect any specific statutory periods that apply (i.e. minimum or maximum periods for certain categories of personal information, such as health data, tax/customs records, employment details, or certain categories of financial information). It should also allow for appropriate exceptions (e.g. where documents relevant to ongoing litigation or an investigation are preserved and not deleted). Statutory limitation periods can also be a relevant, but not determinative, factor. The policy should also reflect any applicable contractual obligations owed by the business in relation to personal information held on behalf of third parties.
3. Implementation	Once the relevant retention periods are set, they must be implemented in practice. That will require ensuring periodic secure and permanent erasure of electronic personal information, as well as systems for destroying hard copy documents, in accordance with the policy. These processes should also be supplemented with staff training on the importance of data retention and destruction. Businesses should also ensure that contracts with third parties who hold personal information on their behalf (e.g. suppliers) include suitable controls to allow for deletion in accordance with the policy. This may include obliging the supplier to delete or return such information upon the business’s request or as soon as the contract expires or terminates, or where the information is no longer needed for the purposes of the contract.
4. Regular review	The data retention policy should be regularly reviewed to ensure it remains current and effective. This should happen periodically, as well as on an ad hoc basis where the business identifies any weaknesses in its data practices, or where it changes how it collects or uses personal information. Any identified concerns should be addressed promptly through updates to the policy and related procedures. Data retention should also form part of supplier management procedures (for suppliers that hold personal information as part of their services).

A data retention policy should be tailored to each business. This list is not exhaustive and is intended to provide an example of measures which can assist with ensuring suitable retention periods are adopted.

A data retention policy is particularly valuable in light of the growing risk of cyber-attacks, which are increasingly sophisticated and frequent. This has contributed to a recent surge in notifiable privacy breaches (the OPC reported a 41% percent increase over 2022) which in each case require formal notification to the OPC and affected individuals. When a business reports a privacy breach it must describe the compromised personal information, and the older that data, the more likely it is that the reasonableness of its retention will be challenged.

Our data privacy experts routinely assist with developing tailored and effective data retention policies, as part of our wider privacy compliance support. For assistance with designing or updating your data retention policy, or for a copy of our Data Defence Checklist for data preparedness and breach response, please contact our Consumer, Regulatory and Compliance (CRC) team or your usual Bell Gully Advisor.

Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.