Recent high profile data breaches have highlighted how long personal information can be retained and if the destruction or deidentification of personal information should occur. In some instances, it has been alleged that entities have held onto personal information for many years after it has served its purpose, in breach of the Privacy Act (Cth) 1988 (Privacy Act) and the Australian Privacy Principles (APPs). Entities regulated by the Privacy Act (APP Entities) need to be aware of their rights and obligations with respect to managing personal information, including its retention and destruction. In particular circumstances, individuals have the right to request the destruction pursuant to the Privacy Act and the APPs. Destruction requests assist individuals to minimise and avoid the consequences of future data breaches and their personal information being accessed by hackers. The APP Entities that are receiving the most requests are banks, insurers, telcos, ISPs, utilities, schools, and retailers. This Q&A Guide will assist APP Entities to identify what policies and procedures they should implement in relation to retention, destruction, deidentification, information management and security, the relevant risks and cost considerations. Non-APP Entities are not subject to the following requirements, though may be required to destroy or correct personal information disclosed to them if directed by an APP Entity. Section 1 - Purpose 1. What was the purpose of the collection of each type of personal information? If an APP Entity holds an individual’s personal information, the entity is required to consider the purpose for which an individual’s personal information was used or disclosed by the APP Entity. 2. Was the purpose for collection of each type of personal information articulated in a privacy policy or in a collection notice? In order to comply with the APPs, each purpose should have been communicated either in the APP Entity’s privacy policy, or in a collection notice issued by the APP Entity to the relevant individual. If the purpose was not articulated, consideration should be given to either amending the privacy policy and/or issuing a collection notice that articulates the purpose of the collection of each type of personal information. Once that purpose ceases to exist then, subject to limited exceptions, the personal information should be destroyed or de-identified by the APP Entity. 3. Does the APP Entity continue to hold each type of personal information? If the answer is yes, continue to 4. If the answer is no, then the APP Entity does not have any obligations to destroy or de-identify personal information it may have previously held/ does not hold. However, there may be obligations including under APP13 to communicate correction requests in relation to personal information disclosed by the APP Entity to third parties, to ensure the third party corrects that information. Section 2 – Initial considerations regarding retention and destruction of personal information 4. Does the APP Entity need the information for any purpose articulated in its privacy policy/ collection notice? If the answer is no, continue to 5. If the answer is yes, then the APP Entity may continue to hold the personal information. 5. Is the personal information contained in a Commonwealth record, which the APP Entity is either responsible for maintaining (eg it is a Commonwealth agency) or has a contractual obligation to retain (eg it is a service provider to a Commonwealth agency)? If the answer is no, continue to 6. If the answer is yes, then the APP Entity should continue to hold the personal information. The APP Entity may have separate obligations, whether under the Archives Act or pursuant to contractual arrangements eg a service agreement. 6. Is the APP Entity required by or under an Australian law, or a court/tribunal order, to retain the information? If the answer is yes, then the personal information should be retained. If the answer is no, continue to 7. If unsure, continue to 10 as it may be of assistance then return to 6. 7. Is the personal information relevant to situations involving any of the following: (a) the prevention of a serious threat to the life, health, or safety of any individual, or to public health, or (b) the collection, use or disclosure is reasonably necessary for the establishment, exercise, or defence of a legal or equitable claim, or (c) diplomatic/ consular services, war/ warlike operations, emergency, and disaster relief, or (d) a permitted health situation exists in the provision of health services. If the answer is yes, continue to 9. If the answer is no, continue to 8. 8. Pursuant to APP11, the APP Entity must take steps that are reasonable in the circumstances to destroy the information, or to ensure that the information is de-identified. APP 11.2 states as follows: If: an APP entity holds personal information about an individual; and the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and the information is not contained in a Commonwealth record; and the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information; the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified. An APP Entity needs to take reasonable steps to destroy all copies it holds of that personal information, including archived or back-up copies. An APP Entity should also have systems in place to identify personal information that needs to be destroyed or de-identified once it has served its purpose. A document destruction policy is a good starting point, followed by procedures that support that policy. Complementing document destruction policies and procedures are Information, Document Management and Security Systems and Protocols that govern how personal information should be handled and protected by an APP Entity (for example, depending on industry, ISO 27001, SOC 2, OWASP, CIS Benchmarks, CPS 231, CPS 234, CPG 235). Cost, time, and resources required to attend to destruction of personal information are not sufficient reasons for an APP Entity to be excused from the obligation to destroy personal information. In particular circumstances, unreasonable and excessive burdens on an APP Entity may be relevant, however these may only assist an APP Entity gain more time to attend to the destruction of particular personal information. However before destroying or de-identifying the personal information, check whether there is an exception that applies - continue to 10. Section 3 – Permitted general situations and permitted health situations 9. Does a permitted general situation or a permitted health situation apply? Section 16A of the Privacy Act outlines a number of ‘permitted general situations’ that allow an APP Entity to collect, use or disclose personal information, without reference to the concept of ‘purpose’ in APP11. Permitted general situations include but are not limited to situations involving the prevention of a serious threat to the life, health, or safety of any individual, or to public health or safety. For example, a doctor can disclose an individual’s personal information to police if there is a threat to the life of an individual. Exceptions also extend to diplomatic/ consular services, war/ warlike operations, emergency, and disaster relief. One of the more commonly used permitted general situations includes if ‘the collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim.’ This situation allows an APP Entity to collect personal information from, and disclose personal information to, its lawyers, experts, opposing parties and others in connection with a legal claim. However, this permitted situation will cease to be available when a claim is resolved. At that point, subject to limited exceptions, the APP Entity will be required to destroy the personal information collected, used, or disclosed by it, and to direct those to whom it has disclosed the personal information to do the same. In addition to permitted general situations under section 16A of the Privacy Act, there also exist permitted health situations under section 16B of the Privacy Act, which operate in a similar manner but in relation to the provision of health services. If a permitted health situation exists then a provider of health services may collect, use or disclose health information in particular situations. APP Entities should obtain advice if there is a chance they collect, use, or disclose personal information in connection with a permitted general situation or permitted health situation. If the answer is yes, a permitted general situation or a permitted health situation applies, then the information may be retained. If a permitted general situation or a permitted health situation do not, or no longer, apply then continue to 8. Section 4 - Exceptions 10. Does an exception apply? There are exceptions outlined in various legislation permitting or compelling an APP Entity to retain particular documents even if they contain personal information. For example, obligations that exist for the retention of personal information include both federal and state-based taxation/ revenue, and federal superannuation, laws. Additionally, there are laws permitting retention of personal information regarding the following: Financial records, compensation arrangements, registers, disclosure documents, complaints, breaches, financial advice and products under the Corporations Act (and the Financial Services Reform Act) and particular registers, records and documents under the Financial Transactions Reports Act anti-money laundering and counter-terrorism financing credit reporting and information under the Privacy Act, the Credit Reporting Privacy Code, the National Consumer Credit Protection Act and National Credit Code employee records under section 535 Fair Work Act security interests under the Personal Property Securities Act mandatory data retention obligations in the provision of telecommunication services electronic surveillance However, there are no general legislative provisions permitting personal information to be retained outside the APPs and the Privacy Act. There are difficulties in identifying all legislation containing retention obligations. As part of the Privacy Act Review Report, the Attorney-General’s Department is proposing that a review be undertaken of all legal provisions that require retention of personal information to determine if the provisions appropriately balance their intended policy objectives with the privacy and cyber security risks of entities holding significant volumes of personal information. If the answer is yes, an exception applies to that personal information, then it may be retained. If the answer is no, an exception does not, or no longer applies, to that personal information, then it should be destroyed or deidentified. In either case, continue to 11. Section 5 – Provision of personal information to a lawyer? 11. Has the personal information been provided to a lawyer? If the answer is no, continue to Costs and Administrative Resourcing Considerations If the answer is yes, personal information was provided to a lawyer, you may wish to consider the following. Clients and other parties will often, during the course of a claim, collect personal information from, and disclose personal information to, a lawyer. These parties may include insureds, experts and those providing administrative services. As mentioned above, APP11 and section 16A of the Privacy Act facilitate the collection, use and disclosure of personal information in these circumstances and a lawyer is permitted to retain personal information whilst a claim is ‘live’. However, what is a lawyer to do with personal information once a claim has been resolved? A lawyer is permitted to retain personal information if that particular personal information falls into one of the exception categories referred to above. For example, invoices, statements, and other financial documents may be retained for tax reasons despite containing references to personal information. There are further relevant considerations. Australian Solicitors’ Conduct Rule 14 (ACSR 14) states as follows: Client Documents 14.1 A solicitor with designated responsibility for a client’s matter, must ensure that, upon completion or termination of the law practice’s engagement: 14.1.1 the client or former client; or 14.1.2 another person authorised by the client or former client, is given any client documents, (or if they are electronic documents copies of those documents), as soon as reasonably possible when requested to do so by the client, unless there is an effective lien. 14.2 A solicitor or law practice may destroy client documents after a period of 7 years has elapsed since the completion or termination of the engagement, except where there are client instructions or legislation to the contrary. Whilst a lawyer may destroy client documents after a period of 7 years, a client can request the (return and) destruction of client documents prior to the expiration of 7 years. It could be advantageous, though resource intensive, for a lawyer to destroy client documents at the direction of a client in an attempt to minimise the personal information held by a lawyer. It is also noted that many Commonwealth agencies have implemented protocols for the return and destruction of personal information held by service providers (including lawyers). Increasingly, this practice is also being implemented by private sector APP Entities. ASCR 14.2 also appears to permit both retention post 7 years, as well as destruction of client documents prior to 7 years in accordance with legislation. However, what is to be done if an individual, being an opposing party, requests the opposing lawyer delete the individual’s personal information after the resolution of their claim? That is an individual may have sued APP Entity 1. APP Entity 1 was represented by Lawyer 1. Could the individual request Lawyer 1 to delete the individual’s personal information, pursuant to APP11, after resolution of the individual’s claim? Section 16A of the Privacy Act would not be of assistance to Lawyer 1 as the matter has been resolved. It is not clear whether an individual’s rights under the Privacy Act and the mechanism under APP11 would be considered legislation for the purposes of ASCR 14, but it may be arguable. There is no guidance issued by any of the State or Territory law societies, or authorities, regarding the destruction or retention of personal information with reference to the Privacy Act. Whilst a Law Council of Australia report in 2021 noted that ASCR 14.2 required clarification “about the range of statutory and other legal obligations that relate to retention and destruction of client documents”, there does not appear to have been any attempt whatsoever to provide guidance on this issue. ASCR 14 regulates client documents only, and not solicitor documents. Guidance has been issued by State and Territory law societies and legal regulators as to this distinction, with solicitor documents constituting a relatively smaller category of documents prepared by the lawyer for their own use or benefit. If a solicitor document contains personal information relating to another eg an opposing party, consideration will also need to be given to correcting, destroying or de-identifying the personal information, consistent with the obligations imposed by the Privacy Act and APPs, subject to any laws regarding retention. Continue to Costs and Administrative Resourcing Considerations. Costs and Administrative Resourcing Considerations Due to the increasing number of requests, as well as contractual obligations contained in service agreements, APP Entities need to dedicate sufficient resources to ensure the destruction or deidentification of personal information once it has served its purpose and/ or following an individual’s request. Not all documents held in relation to a particular individual will contain personal information, therefore those documents may be retained. The process of assessing which documents and personal information should be destroyed, de-identified or retained can be difficult, costly and resource intensive. Further complicating this task is the requirement for an APP Entity to determine whether it has disclosed personal information to third parties, what precisely it has disclosed, and whether that personal information should also be destroyed or de-identified. It highlights the importance of implementing appropriate information handling systems as well as document destruction policies and procedures. For lawyers, this task can be further complicated by competing obligations between ASCR 14, privacy laws, retention laws and client instructions, and the need to distinguish client documents from solicitor documents. Again, there are administrative costs in managing these considerations. Risks Recent events have increased, or will increase, the risks to APP Entities who do not act in compliance with their obligations. The relevant privacy regulator, the Office of the Australian Information Commissioner (OAIC), has received a significant increase in funding. Accordingly, enforcement is likely to follow especially in the context of notifiable data breaches and APP Entities inappropriately retaining personal information. The penalties for privacy law breaches have increased significantly, up to $50,000,000 or three times the value of any benefit obtained through the misuse of information or 30 per cent of a company's adjusted turnover in the relevant period (whichever is greater). At present, only the OAIC can commence proceedings for privacy law breaches. The Privacy Act Review Report has proposed that individuals be given a direct right of action to sue in relation to breaches involving their personal information. This will expose APP Entities to a greater risk of litigation. The Privacy Act Review Report has also proposed to amend APP 11 (and APP 1) to require APP Entities to establish their own maximum and minimum retention periods, which consider the type, sensitivity, and purpose of that information, as well as the APP Entity’s organisational needs and any obligations they may have under other legal frameworks and to communicate these matters in its privacy policy. However, this proposal will be very difficult to implement in practice. Summary APP Entities should review and implement appropriate document destruction policies and procedures, as well as information and data management and security policies and procedures that comply with relevant standards. Moray & Agnew can assist APP Entities in reviewing and implementing these policies and procedures, as well as provide guidance regarding personal information audits. APP Entities need to be mindful not only of obligations under the Privacy Act and APPs, but also a patchwork of other legislation and rules that may impact on their document destruction and retention policies and procedures. The costs associated with managing document destruction, deidentification and retention are costly and resource intensive and require the dedication of sufficient administrative resources. The increase in cost is matched by the increased risks confronting APP Entities, as a result of a better funded regulator that could seek significantly increased penalties. APP Entities may also be confronted with the threat of being sued by individuals or, indeed, groups of individuals in the form of a class action for data breaches, inappropriate collection, disclosure or holding of their personal information, or if their personal information was not destroyed or was mismanaged post resolution of a claim or after services had ceased to be provided to them. APP Entities are encouraged to seek appropriate advice to avoid and minimise the risks they are exposed to regarding the management of personal information. Moray & Agnew can advise on document and personal information destruction and retention issues, as well as other privacy issues. Further information / assistance regarding the issues raised in this article is available from the author, Bill Fragos, Special Counsel or your usual contact at Moray & Agnew.
The content of this publication is intended to provide a summary and commentary only. It is not intended to be comprehensive nor does it constitute legal advice, and has been prepared based on applicable legislation at the date of publication. You should seek legal advice on specific circumstances before taking any action. Subscribe to our Publications