Designing and implementing a data retention and destruction program - updates in 2023

• Organisations often identify 'seven years' as the default business retention period for most records—either because they assume that seven years is the regulatory retention requirement, or because they consider that to be common business practice. However, although the Corporations Act requires certain financial records to be held for seven years, many record types are neither required by law to be held for seven years, nor is there an actual business need to retain records for that period.  Organisations should treat seven-year retention periods for most records (other than regulated financial records) with some scepticism.
• Although statutory limitation periods for claims may guide a business purpose to retain a record for a particular period (eg to defend an organisation against potential claims), those limitation periods are not (in the absence of any actual or anticipated legal proceedings, obviously) a legal requirement to retain those records for the relevant periods. Organisations should carefully consider which records they may need to retain for the purposes of handling claims within statutory limitation periods. Statutory limitation periods should not be adopted as retention periods as a default.
• When assessing and documenting business purposes for retaining personal information, it is critical to ensure that that purpose is in fact permitted under any applicable privacy laws. Retaining personal information as a 'nice-to-have', for the future, is unlikely to meet your requirements under APP 6—so don't shy away from the opportunity to test those purposes against your legal obligations.
• A common concern for businesses is the technical limitations of their current systems and processes—eg where a record can't be destroyed at five years because the system doesn't have that functionality, the business isn't able to easily identify and tag records for destruction, or specific information cannot be deleted or de-identified on a granular basis without denuding the ongoing use of the remainder of the record (or related records). But organisations can't let technical constraints guide the reasons for keeping records or the retention period that is being set out in a record retention schedule or policy—it's an important consideration at implementation stage (and may require exceptions to be implemented, documented and explained), but it is not the business purpose for retention.

Organisations need to have processes and procedures in place to be able to identify records that relate to anticipated or actual legal proceedings and hold those records from any BAU deletion or de-identification. This may include transferring relevant records to other systems for storage. Whilst this is simple in theory, having the technological tools in place to identify and hold these records can be harder—but it is critical to get this process right to ensure there is no accidental deletion or de-identification of records required for legal proceedings.

Implementing a new and improved data retention and destruction program can be daunting, so it's critical to prioritise your approach. You may wish to consider the following risk factors in guiding your approach:

• the type and sensitivity of data contained in relevant records (eg we've seen an increased focus on destruction of government identification records);
• the volume of data (eg consider tackling those systems which contain lots of sensitive personal information);
• remove and rationalise duplicated data (eg organisations undertaking data-mapping exercises often find data duplicated across multiple systems, even though there is no business or regulatory reason for this);
• if there are 'quick wins' for implementation, take them; and
• the number of people who can access the data or system, including third parties (eg systems that are accessed by more people may be more likely to be subject to unauthorised access, and can increase the risk of a data breach).

When undertaking divestments, organisations should consider the systems and records they retain in relation to any divested businesses and whether those systems and records need to be retained to comply with legal requirements. Questions to help determine whether you require those records on an ongoing basis include:

• Do any legal retention obligations apply to the retained business (eg regulatory retention requirements, commitments to retain made to regulators, or anticipated or actual legal proceedings)?
• Are the records duplicated either within your own systems or as duplicates of records provided to the divested business?
• Do you have access to records held by the divested business under a records access regime? For what purpose? And for how long? Is the access regime sufficient to satisfy any legal retention requirements that apply to the retained business?

The Attorney-General's Privacy Act Reforms Report proposes a number of changes that will impact organisations' data retention and deletion practices. These include:  

• a right to delete for individuals;
• an obligation on entities to set minimum and maximum retention periods for personal information and to publish those retention periods in their privacy policy; and
• enhancement of OAIC guidelines in relation to APP 11.2.

Recent cyber incidents and data breach class actions have also shone a light on data retention and destruction policies and practices and the statements organisations make about their data-handling practices. Reviewing and updating your data retention and destruction policies and practices now will help you comply with any Privacy Act reforms of the future but, more importantly, will ensure compliance with existing obligations today and minimise the risks if you do suffer data breach or cyber incident.