12 Jan Beyond the Breach: Data Retention in Australia
THE DATA DILEMMA
In 2023, the average cost of a data breach in Australia reached AUD $4.03 million, according to IBM’s Cost of a Data Breach report. At the same time, Australians are increasingly vocal about how organisations collect, use, and store their personal information.
This creates a difficult balancing act. Businesses want to harness data for insights and innovation, but they must also comply with strict and evolving privacy laws that require them to safeguard and eventually delete that same data.
The good news is that compliance can be turned into a strategic advantage. Done well, data governance improves data quality, reduces risks, and strengthens customer trust.
AUSTRALIA’S PRIVACY FRAMEWORK
The cornerstone of Australia’s privacy regime is the Privacy Act 1988, which regulates how organisations handle personal information. It applies to most businesses with annual turnover above $3 million, as well as some smaller entities handling sensitive data.
Central to the Act are the thirteen Australian Privacy Principles (APPs). The most relevant for data retention are:
- APP 11 (Security): Organisations must take reasonable steps to protect personal information from misuse, interference, loss, or unauthorised access.
- APP 4 and 11.2 (Destruction and De-identification): Personal information must be destroyed or de-identified once it is no longer needed for its original purpose, unless retention is legally required.
Since 2018, the Notifiable Data Breaches (NDB) scheme has required organisations to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to cause serious harm. Poor data retention practices, such as keeping outdated or unnecessary information, make breaches more damaging.
Businesses that act early to strengthen their compliance posture will be better prepared.
FROM HOARDING TO PURPOSEFUL COLLECTION
The principle of data minimisation is central to modern privacy practice: collect only what you need and keep it only as long as necessary.
Different laws impose different retention periods. For example, the Corporations Act 2001 requires financial records to be retained for at least 7 years, and the Taxation Administration Act 1953 requires some tax records to be kept for 5 years. Businesses must balance these requirements with the Privacy Act’s obligation to delete data once it is no longer needed.
Holding on to excess data may feel cautious, but it is both costly and risky. It increases storage expenses, clutters datasets that should provide clear insights, and creates a larger attack surface for cybercriminals.
A ROADMAP FOR A ROBUST DATA RETENTION STRATEGY
Organisations can strengthen compliance and unlock value by taking five practical steps.
- Discover and map your data. You cannot manage what you do not know exists. Conduct a data inventory to identify what personal information you hold, where it is stored, why it is collected, and who has access.
- Develop a data retention policy. A policy should be tailored, not generic. Categorise data types such as customer records, employee files, and financial information. Assign retention periods based on legal obligations and business needs and outline how disposal or de-identification will occur.
- Implement secure processes. Secure destruction is critical. For digital files this may mean cryptographic erasure, and for physical documents it may mean shredding. Distinguish between de-identification, where identifiers are removed but re-identification may be possible, and anonymisation, which is permanent but more difficult to achieve.
- Embed privacy by design. Retention rules should be integrated into new systems, products, and processes from the outset, not added afterwards. This approach reduces risks and avoids costly redesigns later.
- Train your team. Policies and technology alone are insufficient. Staff are the first line of defence, and regular training helps embed a culture of privacy awareness and ensures that retention rules are followed consistently.
COMPLIANCE AS A COMPETITIVE ADVANTAGE
Effective data governance reduces legal and security risks, but it also enables business success. By understanding the legal framework, categorising and mapping data, developing clear policies, applying secure processes, and training staff, organisations create better quality data and more efficient systems.
Strong privacy practices signal trustworthiness to customers and partners. This trust is a foundation for stronger relationships, better analytics, and long-term business growth.
Navigating the complexities of data retention can be challenging. Contact InfoCentric to develop pragmatic, tailored data governance frameworks that meet your legal obligations while unlocking the strategic value of your data.