As we reach the end of Privacy Awareness Week (PAW) 2020 we also move to the end of the Ctrl+Alt+Delete function, to the delete phase for rebooting privacy.
Under Australian Privacy Principle 11 (APP 11) organisations are required to take reasonable steps to destroy or de-identify personal information when it is no longer required for the purpose for which it was collected.
Many organisations have document retention policies which deal with the destruction of documents and the data contained in them within certain timeframes. However, it is often the case that personal information which is stored in systems (rather than in specific documents) may be retained for a significant period of time, and a risk to the organisation if that information is subject to unauthorised access and or misuse.
This was certainly an issue in some of the major data breaches we have seen in the last few years, including the breach of Australian National University where student and staff information going back 19 years was able to be accessed in a breach. Click here to read the report.
What is required for destruction?
The Office of the Australian Information Commissioner (OAIC) provides guidance to organisations as to what will satisfy APP 11 in terms of destruction or de-identification in its guide to securing personal information available here. Some of this overlaps with document destruction or retention procedures, particularly where documents and information are held in hard copy.
For hard copy destruction, which is often outsourced, organisations need to clarify what happens when documents leave their possession for destruction. For example, will they will be destroyed in an appropriate manner such as through pulping, pulverising, disintegrating or shredding?
Many breaches occur every year where complete files are found to have been placed into dumpsters or other storage which has been subject to unauthorised access. Where information is contained on hardware or in electronic form, the same rules apply – is it removed in a way that the personal information is irretrievable from that hardware?
If information is not in a position to be irretrievably destroyed, then reasonable steps will be putting the personal information “beyond use”. While this approach is regarded as being applicable only within very limited circumstances, it meets the requirements if there are appropriate technical, physical and organisational security boundaries around the information which prevent access or use.
Is de-identifying information enough?
This is often seen as a simple way of dealing with information while also allowing entities to retain some elements of the information for business use. However, de-identification is only successful if information cannot be subsequently re-identified and there are significant standards around what meets the test of de-identification. For example, the OAIC together with CSIRO’s Data61 have published a De-identification Decision-Making Framework which provides practical guidance on de-identification.
Other useful resources are listed in the OAIC’s guide to securing personal information.
Author: Lyn Nicholson
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.