Owen Pitt, Associate, Stephens Lawyers & Consultants

Under Australian Privacy Law, organisations that hold Personal Information must take steps that are reasonable to destroy or de-identify personal information that the entity no longer needs for any purpose, and which is not contained in a Commonwealth record or otherwise required to be retained under an Australian law or order of a court/tribunal.

Despite such requirements under Australian law, highly publicised mass data breaches in 2022 and 2023 revealed that many large organisations are retaining data that is no longer required and should have been destroyed.

Risk of Retention

Survey findings published by the Office of the Australian Information Commissioner in August 2023 indicate that 75% of Australians view mass data breaches as one of the biggest risks to their privacy. This is not surprising, given that in the first half of 2023 data breaches affected more than 10 million Australians[i].

The highly publicized Optus and Medibank mass data breaches in late 2022 included personal information of individuals who were no longer customers of Optus and Medibank, and whose information the companies may not have had any reason to still be holding.

Failing to destroy data and information that an entity no longer has any reason to retain, can expose the entity to:

  1. Risk of enforcement action being taken by the Office of the Australian Information Commissioner pursuant to the Privacy Act 1988 (Cth) for breaches of the Australian Privacy Principles.

The penalty for a serious or repeated breaches of the Australian Privacy Principles by a corporation is the greater of AU$50 million, or three (3) times the value of any benefit obtained through the misuse of information, or 30 percent of a company’s adjusted turnover in the relevant period.[ii]

  1. In the event that the data is the subject of a data breach, risk of individuals affected by the breach making claims for compensation, including by class actions. 
  1. Severe reputational damage, resulting in loss of business and customers.

Further findings published by the Office of the Australian Information Commissioner indicate that the source of the vast majority of data breaches are malicious or criminal attacks or human error, which are responsible for 70% and 26% respectively of data breaches[iii]. A policy of destroying data and information that is no longer needed by the organisation can mitigate the severity of any adverse impact resulting from the organisations’ data being the subject of a malicious attack or disclosed as a result of human error.

Reasons for Retention

When implementing procedures for the destruction of data and information, an entity must also consider the many different reasons why it may be required at law to retain certain data or information. There are many Australian acts, rules and regulations that require entities to retain specific types of information for set periods of time. The data retention requirements that will apply to an entity will depend on the nature of the entity, the nature of its business and the type of data and information it holds. For example:

  1. Telecommunications service providers are required to keep certain types of subscriber information for 2 years from the date of creation;[iv]
  2. businesses must retain records of all transactions related to the business’s tax and superannuation affairs for at least 5 years from the date of preparation[v];
  3. Companies are required to retain financial records for 7 years after the transactions covered by the records are completed[vi];
  4. Registered NDIS Service providers are required to maintain records of information relating to complaints received for 7 years from the date the record was made.
  5. Commonwealth Records can only be disposed or destroyed by Government agencies in accordance with the Archives Act 1983 (Cth[vii]).

Accordingly, an entity must carefully consider what data and information it is required to retain, when introducing procedures for the destruction of data and information it no longer needs.

Proposed Legislative Change

On 28 September, 2023 the Australian Government published its “Government Response – Privacy Act Review Report[viii] (the ‘Report’).  The Report sets out the Government’s response to changes to the Privacy Act 1988 (Cth) proposed by the Attorney General’s Department following 2 years of extensive consultation. The Report indicates that the Government agrees “in-principle” with legislative changes that would require entities to establish maximum and minimum periods for retention of personal information, having regard to the type and sensitivity of the data, as well as any other obligations the entity may have for retaining the data. Under the proposed changes, entities would also be required to state in their privacy policies how long the entity retained personal information.

Accordingly, the proposed changes, if introduced, will make it a legal requirement for entities that hold personal information to have an information retention and destruction policy.

Data Retention and Destruction Policy

An effective Data Retention and Destruction Policy provides an entity with a clear roadmap to ensure compliance with its obligations at law to:

  1. Retain the data and information that the entity is legally obliged to retain;
  2. Destroy or deidentify information or documents it no longer requires and are not required to be retained at law.

There is no one-size-fits-all approach to the preparation of a Data and Information Retention Policy because an organisation’s obligations to either retain, destroy or de-identify the information and data it holds will depend on:

  1. the nature of the organisation;
  2. the type of information and data it holds;
  3. which legislation, regulations, rules or standards will apply to the organisation and the type(s) of information it holds;
  4. Whether the information must be retained for any other reason, such as by order of a court or tribunal and Agreements with third parties, such as insurance policies that require retention of certain data and information.
  5. Whether the information/data is required for disclosure in court proceedings or anticipated legal claims or court proceedings.

If unsure about its obligations under law in relation to the destruction and retention of documents, data and information, an organisation should seek legal advice and assistance in order to prepare an effective Data Retention and Destruction Policy.

How Stephens Lawyers & Consultants Can Assist

Stephens Lawyers & Consultants have extensive experience advising and assisting clients in respect of their obligations under all aspects of Australian privacy and data protection and cybersecurity laws.

When assisting our clients to develop and implement effective Data Retention and Destruction Policies and procedures, we work with our clients to:

  1. identify the existing and proposed relevant legislation, regulations, rules and standards that apply to the organisation and the documents and information the organisation holds.
  2. prepare a Data and Information Retention Policy that is appropriate for our client, having regard to the size and nature of our client’s organisation and to the types of documents, data and information they collect, hold and use.

If you have any questions about whether your organisation or business needs or should have a Data and Information Retention Policy, please feel free to make an enquiry through our website at https://stephens.com.au/contact-us/ or email us at [email protected].


Disclaimer: This information sheet is not intended to be a substitute for obtaining legal advice.

Authored by Owen Pitt, Associate, Stephens Lawyers & Consultants; © Stephens Lawyers & Consultants, 13 February 2024.  

For further information contact:

Stephens Lawyers & Consultants

Melbourne Head Office

Suite 205, 546 Collins Street, Melbourne VIC 3000

Phone: (03) 8636 9100  Fax: (03) 8636 9199  

Sydney Office

Level 29, Chifley Tower, 2 Chifley Square, Sydney, N.S.W. 2000
Phone: (02) 9238 8028

Email: [email protected]

Website: www.stephens.com.au

All Correspondence to:

PO Box 16010 Collins Street West Melbourne VIC 8007

To register for newsletter updates and to send your comments and feedback, please email [email protected]


[i] OAIC Notifiable Data Breach Report for January 2023 to June 2023

[ii] Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 which came into effect on 13 December 2022.

[iii] OAIC Notifiable Data Breach Report for January 2023 to June 2023

[iv] S187C, Telecommunications (Interception and Access) Act 1979

[v] 262A(4) Income Tax Assessment Act

[vi] S286 Corporations Act

[vii] S24 Archives Act 1983 (Cth)

[viii] Attorney General’s Department, “Government Response to the Privacy Act Review Report”, 28 September, 2023 ; Government Response – Privacy Act Review (ag.gov.au)