Get your data retention and destruction program up and running

By Valeska Bloch, Isabelle Guyot, Lauren Holz, Saskia O'Neill
Corporate Governance Cyber Data & Privacy Risk & Compliance

Has your organisation collected more data, and kept it for longer, than necessary? 5 min read

Amid the high drama, public outrage and calls for urgent regulatory reform in the wake of the recent Optus and Medibank data breaches, one thing is clear: the best way to avoid or reduce the impact of a data breach is not to have the data in the first place.

But ensuring that organisations don't collect more data than required, and don't keep it for longer than necessary, is extremely challenging—particularly when done retrospectively.

This Insight outlines the regulatory, operational and technical complexities at issue, and summarises the six steps you can take now to accelerate (or initiate) a data retention and destruction program. You can download our full guide with practical tips on implementing such a program, and the questions your board and senior management should be asking, here

Key takeaways

  • Given the volume of regulatory requirements to retain and destroy data, it can be hard to determine which laws apply to what records and which should take precedence where there are inconsistencies.
  • Organisations need to consider:
    • the extent to which they need to collect certain data at all (eg identity documents if these could instead be sighted);
    • Whether they need to retain all of the information that they currently hold (eg underlying identity documents once ID verification has been undertaken); and
    • when (and how to delete) or de-identify information.
  • Securely destroying data can help mitigate regulatory operational and cyber risks, as well as costs if you do have a data breach.
  • Regulators expect organisations to have good governance around records management.
  • Following the recent breaches, we expect the introduction of more prescriptive requirements (and higher related penalties) for the destruction or de-identification of personal information.

The current challenge

healthcare-icons_new-classification.pngSo much data

Organisations have more data than they know what to do with. The more data an organisation handles, the greater the risk exposure, and the more difficult (and expensive) it becomes to tag, monitor, secure and (when it is no longer required) destroy, on an ongoing basis.

healthcare-icons_new-classification.pngA complex regulatory landscape

It is already mandatory for organisations subject to the Privacy Act 1988 (Cth) to destroy or de-identify personal information once it is no longer required.

Additionally, organisations must navigate and apply overlapping (and often inconsistent) laws to business records. For example, many of the 100 federal and state laws covering this area—including the Corporations Act 2001 (Cth), tax and employment laws—impose different retention periods. Others—including the Tax Administration Act 1953 (Cth) and state health records laws—also require organisations to destroy specific types of information (eg tax file numbers). Industry organisations may also mandate deletion of certain information, eg the Payment Card Industry Data Security Standard requires destruction of credit card details.

healthcare-icons_new-classification.pngIncreased regulator scrutiny

The Office of the Australian Information Commissioner (the OAIC) has been focused for some time on breaches of the Privacy Act regarding personal information. Even before the recent high-profile data breaches, it has paid increasing attention to compliance with Australian Privacy Principle 11.2, which 'requires that organisations take reasonable steps to destroy or de-identify personal information where that information is no longer required for any permitted purpose and does not otherwise need to be retained under Australian law', including two recent determinations against organisations found to have breached it. A failure to delete or de-identify personal information once it is no longer required can also lead to a finding that an organisation has not complied with its obligations to:

  • have policies and procedures in place to enable it to comply with the APPs (APP 1.2); and
  • take reasonable steps to protect personal information (APP 11.1).

healthcare-icons_new-classification.pngTechnical constraints

System limitations and data structures can make it difficult to implement data retention and deletion requirements. For example, legacy systems may not permit sufficiently granular destruction of data, and it can be hard to identify data within unstructured datasets (eg email).

Balancing the risks

There are concurrent risks and obligations for failing to retain data when required, and for holding it longer than necessary. A comprehensive and considered data retention and destruction program can significantly ease the legal and regulatory burden on organisations.


19520D graphic data retention and destruction_D.jpg

19520D graphic data retention and destruction_D.jpg

19520D graphic data retention and destruction_M.jpg

Where to begin: your six-steps to design and design and implement a data retention and destruction program

number_blue-80x80px-1.pngStep 1: Know your data

Who to involve: Project lead, Legal, Compliance and key stakeholders in each business unit.

What to ask: What data do we hold and why?

number_blue-80x80px-2.pngStep 2: Know your retention obligations

Who to involve: Legal and Compliance.

What to ask: Which records must be retained under law, industry standards or contracts (and for how long and in what form)?

number_blue-80x80px-3.pngStep 3: Know your obligations to destroy or de-identify data

Who to involve: Legal and Compliance.

What to ask: Which records or data must be destroyed or de-identified under law? When?

number_blue-80x80px-4.pngStep 4: Develop or update your data retention and destruction policy

Who to involve: Legal and Compliance.

What to ask: How do we ensure we comply with our regulatory and other obligations to retain and destroy data?

number_blue-100x100px-5.pngStep 5: Implement your data retention and destruction policy

Who to involve: Project lead, Compliance, Information Technology, Facilities or Records team responsible for hard-copy records, Legal and key stakeholders from each business unit.

What to ask: Where (including in what systems) is our data held? How do we identify and track datasets/records to ensure we are applying the relevant retention period? How do we securely delete or destroy data? Are there any technical constraints on implementation? What controls do we need to put in place to address those technical constraints?

number_blue-100x100px-6.pngStep 6: Monitor, review and enforce your policy

Who to involve: Compliance, Audit and Risk.

What to ask: Are we complying with our policy? Is it scalable?

What's next?

For more detail about these steps, download our guide below: How to design and implement a data retention and destruction program in six steps. 

We would welcome the opportunity to you chat to you about your arrangements and share best practices we are seeing across the market. Please get in touch with any of our team below.

Download data retention and destruction guide

Complete below to download your guide

Your privacy: Allens collects your personal information so we can provide and market services to you. Your information may be shared with other members of the Allens Group both in Australia and overseas. You have a right to access certain personal information that we collect and hold about you. You may contact us at Further information is available on this page.

Stay informed

Subscribe to our insights and updates