Has your organisation collected more data, and kept it for longer, than necessary? 5 min read
Amid the high drama, public outrage and calls for urgent regulatory reform in the wake of the recent Optus and Medibank data breaches, one thing is clear: the best way to avoid or reduce the impact of a data breach is not to have the data in the first place.
But ensuring that organisations don't collect more data than required, and don't keep it for longer than necessary, is extremely challenging—particularly when done retrospectively.
This Insight outlines the regulatory, operational and technical complexities at issue, and summarises the six steps you can take now to accelerate (or initiate) a data retention and destruction program. You can download our full guide with practical tips on implementing such a program, and the questions your board and senior management should be asking, here.
Key takeaways
- Given the volume of regulatory requirements to retain and destroy data, it can be hard to determine which laws apply to what records and which should take precedence where there are inconsistencies.
- Organisations need to consider:
- the extent to which they need to collect certain data at all (eg identity documents if these could instead be sighted);
- Whether they need to retain all of the information that they currently hold (eg underlying identity documents once ID verification has been undertaken); and
- when (and how to delete) or de-identify information.
- Securely destroying data can help mitigate regulatory operational and cyber risks, as well as costs if you do have a data breach.
- Regulators expect organisations to have good governance around records management.
- Following the recent breaches, we expect the introduction of more prescriptive requirements (and higher related penalties) for the destruction or de-identification of personal information.
The current challenge
So much data
Organisations have more data than they know what to do with. The more data an organisation handles, the greater the risk exposure, and the more difficult (and expensive) it becomes to tag, monitor, secure and (when it is no longer required) destroy, on an ongoing basis.
A complex regulatory landscape
It is already mandatory for organisations subject to the Privacy Act 1988 (Cth) to destroy or de-identify personal information once it is no longer required.
Additionally, organisations must navigate and apply overlapping (and often inconsistent) laws to business records. For example, many of the 100 federal and state laws covering this area—including the Corporations Act 2001 (Cth), tax and employment laws—impose different retention periods. Others—including the Tax Administration Act 1953 (Cth) and state health records laws—also require organisations to destroy specific types of information (eg tax file numbers). Industry organisations may also mandate deletion of certain information, eg the Payment Card Industry Data Security Standard requires destruction of credit card details.
Increased regulator scrutiny
The Office of the Australian Information Commissioner (the OAIC) has been focused for some time on breaches of the Privacy Act regarding personal information. Even before the recent high-profile data breaches, it has paid increasing attention to compliance with Australian Privacy Principle 11.2, which 'requires that organisations take reasonable steps to destroy or de-identify personal information where that information is no longer required for any permitted purpose and does not otherwise need to be retained under Australian law', including two recent determinations against organisations found to have breached it. A failure to delete or de-identify personal information once it is no longer required can also lead to a finding that an organisation has not complied with its obligations to:
- have policies and procedures in place to enable it to comply with the APPs (APP 1.2); and
- take reasonable steps to protect personal information (APP 11.1).
Technical constraints
System limitations and data structures can make it difficult to implement data retention and deletion requirements. For example, legacy systems may not permit sufficiently granular destruction of data, and it can be hard to identify data within unstructured datasets (eg email).
Balancing the risks
There are concurrent risks and obligations for failing to retain data when required, and for holding it longer than necessary. A comprehensive and considered data retention and destruction program can significantly ease the legal and regulatory burden on organisations.
Where to begin: your six-steps to design and design and implement a data retention and destruction program
|
|
|
|
|
|
Step 1: Know your data
Step 2: Know your retention obligations
Step 3: Know your obligations to destroy or de-identify data
Step 4: Develop or update your data retention and destruction policy
Step 5: Implement your data retention and destruction policy
Step 6: Monitor, review and enforce your policyWhat's next?
For more detail about these steps, download our guide below: How to design and implement a data retention and destruction program in six steps.
We would welcome the opportunity to you chat to you about your arrangements and share best practices we are seeing across the market. Please get in touch with any of our team below.
Download data retention and destruction guide
Your privacy: Allens collects your personal information so we can provide and market services to you. Your information may be shared with other members of the Allens Group both in Australia and overseas. You have a right to access certain personal information that we collect and hold about you. You may contact us at PrivacyCompliance@allens.com.au. Further information is available on this page.