To retain or to destroy? The interaction between privacy, document retention and destruction policies

5 December 2022
Matthew Bode, Partner, Brisbane

The significance of document or data retention, whilst not as fast paced as cryptocurrency or high yielding funds, cannot be understated. Over the past couple of months, we have witnessed some high-profile data breaches that have brought to the forefront a number of questions about how data is retained (as well as destroyed), the obligations, requirements and associated policies surrounding this subject matter and how these apply in the day-to-day running of an organisation. This brief article touches upon two of the most pertinent questions in this area.

The first question discussed is, what are the data retention requirements for organisations? The second, and perhaps more pressing question in light of the recent privacy breaches affecting the business landscape, is how the Australian Privacy Principles interact with and impact these data retention requirements?

Statutory mandates are unavoidable and must be complied with. In the current environment, organisations (among other things) need to take into consideration potential brand and reputational damage that may arise from a deficient corporate document or data management policy and /or its inefficient implementation.

It is worth noting that the information contained in this article is general commentary only. No two organisations are the same.  Each and every organisation can be impacted by these requirements in varying ways including having regard to their contextual situation in the economy.

Retention Obligations

There are several pieces of legislation that need to be considered when assessing the legislative requirements to retain data and business records. Relevant legislative sources include (but are not limited to) the following:

  1. Corporations Act 2001 (Cth) (Corporations Act);
  2. Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/ CTF Act) and AML/CTF Rules;
  3. National Consumer Credit Protection Act 2009 (Cth) (NCCP Act) and National Consumer Credit Protection Regulations 2020 (NCC Regs);
  4. Electronic Transactions Act 1999 (Cth) (ETA);
  5. Privacy Act 1988 (Cth) (Privacy Act) and Privacy (Credit Reporting) Code 2014 (v.2.3) (CR Code); and
  6. Personal Property Securities Act 2009 (Cth) (PPSA).

As a general rule of thumb, banks, insurers and other financial service organisations’ financial records need to be retained for 7 years following the date the service or transaction ceased being provided. For example, for a lending entity, this may mean that a customer’s data will need to be retained for a total of 37 years – which comprises the entirety of their 30-year loan plus an additional 7 years from the last date of the loan’s repayment, or closure (subject also to the organisation’s policies regarding data retention).

A similar requirement also exists for fund managers and other promoters. When investment funds release documents to the market, including their information memorandums or disclosure documents, they are required to keep these records for 7 years.

Document retention timelines can vary depending on the type of document or record, the industry and jurisdiction(s) the organisation operates within, as well as the interaction of different government statutory regimes. It goes without saying that key documents, such as an organisation’s company constitutions and trust deed(s), should be retained indefinitely.

Statutory requirements, whilst important, are not the only relevant consideration. In some instances, an organisation will need to consider the need to retain documents and records for the ‘business purposes’ or for the purposes of actual or anticipated litigation. As such, relevant risk and document management policies should consider and have appropriate mechanisms to deal with these risks and requirements as they arise.

As one may imagine, these statutory requirements can be onerous on organisations. As a result, careful assessment, planning, policy creation and staff training are all critical in ensuring that an organisation does not breach their legal obligations.

Australian Privacy Principles

Whilst abiding by statutory-imposed timeframes is required, the Australian Privacy Principles (APPs) should also be a key consideration in any organisation’s document management or governance framework. The requirement to collect, hold and retain data is non-negotiable; organisations must comply with the relevant legislation (or otherwise face penalties).

However, within an organisation’s control and purview is how they store and retain this information. The evolution of technology has created great potential for endless opportunities, but it has also increased the risk of incidents occurring, including reportable data breaches. A key consideration to ensuring compliance with APPs is whether the data held is legitimately required to be retained for statutory or other business purposes, or whether it should be destroyed and/or anonymised.

Every organisation should ensure that they have up-to-date internal policies, procedures and guidelines regarding their data retention and disposal, having regard to legislative requirements including Privacy Act obligations. How organisations choose to design and implement their policies and procedures, including to ensure that data retention/disposal and Privacy Act obligations and principles are appropriately embedded within their organisation, is of the utmost importance.

System design and IT security will assist in protecting against some of the potential APP breaches. Data encryption, together with enhanced monitoring and management systems will aid organisations in foiling the growing threat of data breaches. Nonetheless, an organisation’s privacy strategy, including its policies, procedures, culture, behaviours and values, cannot be underestimated as these factors are the basis upon which an organisation’s privacy foundation is laid. These elements shape the day-to-day running of an organisation’s operations and decision-making processes.

The importance of a robust data and privacy compliance culture cannot be overemphasised. Strong compliance will mean that breaches are less likely to occur, and if they do occur, they can be more easily identified, investigated, reported and remediated.

We regularly assist our clients, ranging from large financial institutions, superannuation entities, mutuals and insurers to small and medium-sized enterprises, with the review, preparation of and compliance with, data retention (and disposal) obligations and associated policies and procedures, privacy and data retention frameworks.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Matthew Bode, Partner
Elizabeth Ziegler, Associate

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch