Under APPs 11.2 and 11.3 of the Privacy Act 1988 (Cth) organisations and agencies that hold personal information must take reasonable steps and implement necessary technical and organisational measures to destroy or de-identify the personal information they hold when it is no longer needed for any purpose permitted under the Privacy Act and there is no express legal obligation to hold it. This requirement serves both as a legal and ethical obligation to protect individuals’ personal information. However, deletion and de-identification are more than only compliance measures, they are crucial tools for mitigating privacy risks in a data-driven world.
Firstly, deletion is a direct and the most effective measure to prevent unauthorised access or misuse of personal information as data breaches, cyber-attacks, accidental disclosures and insider threats rely on the existence of data. By securely deleting data that is no longer needed (and there's no legal obligation to retain it), organisations reduce their data holdings and, by extension, the volume of information that could be compromised and thus risks in the event of a data breach. Deletion is especially critical for sensitive information such as health records or government related identifiers, where deficient data management could result in serious harm to affected individuals and serious penalties or damages levied on the organisation.
Alternatively, de-identification allows organisations to retain the utility of data for analysis, innovation or research purposes while significantly lowering the privacy risk. When the personal identifiers in personal information are effectively removed or altered so that individuals cannot be reasonably re-identified, the resulting data poses a much lower risk if disclosed. De-identification supports innovation and informed decision making without compromising the privacy of individuals. However, an effective de-identification program must be robust and ongoing, using the current best practises at the time of de-identification with verification processes to ensure that re-identification risks are minimised or the data is de-identified again to a higher standard to avoid re-identification. Organisations should combine de-identification processes with strong governance frameworks, technical safeguards and secure access controls to maximise privacy protection as now expressly required under APP 11.3.
Both deletion and de-identification practices align with the core privacy principle of data minimisation. This principle throughout the privacy law limits the collection, use, disclosure and retention of personal information to what is strictly necessary for the organisation’s needs. This principle, when appropriately implemented, helps organisations avoid excessive or outdated data holdings that could become liabilities over time, significantly reducing privacy risks and the potential for damaging consequences such as civil penalties and damages. Minimising your data footprint reduces legal exposure, regulatory scrutiny and also ongoing operational costs.
Beyond compliance, deletion and de-identification play a crucial role in building trust with your customers and stakeholders by demonstrating responsible data stewardship. As public concerns over data security and the protection of an individual’s privacy continue to intensify, organisations that proactively manage their data life cycle stand to gain a competitive edge.
While APP 11.2 and 11.3 mandate the destruction or de-identification of personal information that is no longer needed, the real benefit of these practices lies in their significant risk mitigation capabilities. They can help prevent data breaches or, at least, reduce the impact of them, support ethical data use, promote data minimisation and enhance organisational trust and reputation. When implemented effectively, deletion and de-identification become foundational elements of a strong and comprehensive privacy and data governance strategy.
Atmos Legal Privacy Risk and Digital Law team has specialised expertise and best practice solutions across privacy risk, compliance and data governance management for your organisation.
Please reach out to us to discuss how best and most cost effectively your organisation can reduce its privacy risk and ongoing data storage costs.
info@atmosgroup.com.au