Data Retention and Privacy Risk

The Office of the Privacy Commissioner has recently highlighted the importance of good data retention practices.

The Office released a statement in April 2023, discussing the role of data retention in recent New Zealand data breaches. The statement points to the Latitude Financial Services breach, involving personal information about millions of individuals in both New Zealand and Australia.  6.1 million of the 14 million records involved in that breach were more than ten years old. Some were more than 18 years old.

What is data retention?

Data retention refers to how long an organisation keeps its information, including personal information.

A data retention policy outlines an organisation’s protocol for how long it will keep different types of information, and how information will be disposed of once no longer needed.

What does the law say?

Information Privacy Principle 9 of the Privacy Act 2020 says that organisations shouldn’t keep personal information for longer they have a lawful purpose for using it. This is usually determined with reference to the original purpose for collecting the information.

Why does retention matter for privacy management?

Keeping information longer than it is needed carries real financial and reputational risks.

The most obvious risk relates to data breaches. The more personal information an organisation has, the greater its exposure and its potential liability if that information is disclosed. Keeping personal information that is no longer needed increases that risk for no benefit.

Privacy breaches have a real impact on an organisation’s reputation, and the trust and confidence of stakeholders. The Privacy Act 2020 now requires mandatory reporting of notifiable data breaches, leading to an increase in public and media awareness of breaches. Organisations can expect to face scrutiny about not just how a breach occurred, but also the information involved. The reputational damage of a data breach can be exacerbated if the public perceive that personal information was held unnecessarily.

When organisations retain personal information for longer than needed, they also run the risk of relying on out of date or inaccurate information to make decisions. Efficient business practises rely on using only timely and accurate data.

Excessive data retention also has immediate financial impacts for organisations. Storing and managing redundant data and systems can incur significant costs.

How can you avoid excessive retention?

An up-to-date data retention policy is the best tool for ensuring that your organisation avoids the risks and keeps personal information only as long as it is needed.

A data retention policy ensures that your organisation can identify the different types of personal information it holds and determine an appropriate retention period. For example, all payroll records might be retained for 7 years.

The Privacy Commissioner is advising organisations to make sure they have a personal information retention schedule. “The simple discipline of deciding how long information will be retained as you collect it and acting on these decisions will save you and your customers a lot of pain.”

The process of developing a policy generally relies on an information audit, to ensure a complete picture of the personal information held. Conducting an audit can be a large and complex task, particularly for organisations with long histories, large information systems, or complicated evolution of functions.

A policy also needs to consider any legislative or regulatory requirements for your organisation or sector.  For example, public sector agencies need to ensure that they’re complying with the Public Records Act, and only destroy information in accordance with a current disposal authority.  Similarly, the financial sector is subject to various regulatory minimum time frames during which organisations must retain records.

Implementing its data retention policy allows an organisation to ensure that any information that’s no longer required is promptly and securely destroyed.

Liz McPherson, Deputy Privacy Commissioner stated that “There are consequences for holding onto data you no longer need. All businesses and organisations can learn from this: don’t collect or hold onto information you don’t need. The risk is simply too high for your customers and your organisation.”