Determining the appropriate data retention periods is crucial for compliance with the Australian Privacy Act. Keeping data for too long or not long enough can lead to compliance issues and potential legal risks. This article will guide you through setting the minimum and maximum data retention periods for your organisation.
Please keep in mind that this article is general in nature only. Professional advice should be sought on specific matters, and with lawyers under Costs Agreement and to which Legal Professional Privilege (LPP) applies.
1. Understanding Data Retention Requirements
The Australian Privacy Act doesn’t specify exact time frames for data retention but mandates that personal information should only be kept for as long as it’s needed for the purposes for which it was collected. Once that purpose is fulfilled, the data should be securely deleted or de-identified.
Key Principle:
Data should not be kept "just in case." Only retain personal information for as long as it’s necessary.
2. Setting Minimum Data Retention Periods
What is a Minimum Retention Period?
The minimum retention period is the shortest amount of time you need to keep personal information to fulfil legal, regulatory, or business requirements.
Examples of Minimum Retention Periods:
Financial Records: Keep for at least 7 years, as required by tax laws.
Employee Records: Retain for at least 7 years after employment ends, to comply with workplace laws.
Health Records: Retain for a minimum of 7 years from the last date of entry for adults (or longer if required by specific health regulations).
Guidance:
Identify any legal or regulatory obligations specific to your industry that dictate minimum retention periods.
3. Setting Maximum Data Retention Periods
What is a Maximum Retention Period?
The maximum retention period is the longest time you can keep personal information before it must be deleted or de-identified, unless a valid reason to retain it still exists.
Examples of Maximum Retention Periods:
Customer Data: Typically, retain for as long as the customer relationship exists, plus a reasonable period afterward (e.g., 2 years) to handle any potential disputes.
Marketing Data: Retain until consent is withdrawn or the data is no longer needed, then delete or anonymise it.
Inactive Accounts: Data associated with inactive accounts should be deleted or anonymised after a set period, such as 5 years of inactivity.
Guidance:
Consider the potential risks of retaining data longer than necessary, including data breaches and regulatory penalties.
4. Special Considerations
Legal Holds: If personal information is relevant to ongoing litigation or investigations, you may need to retain it beyond the usual period. Ensure you have a process in place to lift the legal hold and delete the data once it’s no longer required.
Anonymisation: When data is no longer needed in its identifiable form, consider anonymising it instead of deleting it. This allows you to retain useful information for analytics without compromising privacy.
5. Implementing a Data Retention Policy
To ensure compliance, establish a clear data retention policy that outlines:
What data is retained
Why it’s retained
How long it will be retained
How it will be securely deleted or anonymised
Action Steps:
Review all types of personal information your organisation collects.
Determine the minimum and maximum retention periods based on legal, regulatory, and business needs.
Set up automated processes where possible to manage data deletion and anonymisation.
Determining and adhering to appropriate data retention periods is essential for compliance with the Australian Privacy Act. By setting clear minimum and maximum retention periods, you can protect your organisation from legal risks and ensure the privacy of the individuals whose data you handle.