What should APP Entities include in a data destruction policy?

The Australian Privacy Principles (APPs) contained at Schedule 1 of the Privacy Act 1988 (Cth) (Act) requires APP Entities to destroy or deidentify personal or sensitive information (Protected Information) as soon as reasonably practicable.[1]  Having a data destruction policy (DDP) in place means that everyone in the company knows what information is Protected Information, and when and how it is to be destroyed or deidentified.

What is an APP Entity?

An APP Entity includes:

  • government agencies such as a minister, department, Court or the Australian Federal Police;
  • an individual;
  • a body corporate;
  • a partnership;
  • an unincorporated associate; or
  • a trust,

that is not a business which is not a small business operator, being a business that had an annual turnover of less than $3,000,000 in the last financial year.[2]

Section 6D(4) of the Act notes that the following small business operators will be considered an APP Entity:

  • if it carries on a business that has had an annual turnover of more than $3,000,000 for a financial year after the later of the small business operator starting to carry on the business or 21 December 2001;
  • if it provides a health service and holds health information that is not in an employee record;
  • if it discloses personal information about other individuals to third parties for a benefit, service or advantage;
  • if it provides a benefit, service or advantage to collect personal information about individuals from third parties;
  • if it is a contracted service provider for a contract to which the Commonwealth is, or was, a party and services were being provided to them; or
  • if it is a credit reporting body.

What is personal and sensitive information?

Section 6 of the Privacy Act 1988 (Cth) (Act) defines ‘personal information’ as:

“Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not”

 Chapter B of the APP Guidelines states that this is often a person’s

“name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person”.

‘Sensitive information’ is defined in the same section as:

            “(a) information or an opinion about an individual’s:

                      (i) racial or ethnic origin; or

(ii)  political opinions; or

(iii)  membership of a political association; or

(iv)  religious beliefs or affiliations; or

(v)  philosophical beliefs; or

(vi)  membership of a professional or trade association; or

(vii)  membership of a trade union; or

(viii)  sexual orientation or practices; or

(ix)  criminal record;

that is also personal information; or

            (b) health information about an individual; or

            (c) genetic information about an individual that is not otherwise health information; or

            (d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

            (e) biometric templates.”

 Simply put, any information from a name or email address to photographs, medical information and fingerprints will be considered either personal or sensitive information and should be covered by the DDP.

APP 4 – When should Protected Information be destroyed?

The APPs provide two (2) situations whereby Protected Information should be destroyed:

  • when the company received unsolicited Protected Information;[3] and
  • when the Protected Information is no longer required by the receiver of it.[4]

If the Protected Information was not solicited by the receiver, then within a reasonable time after receiving it they need to determine whether they could have collected the Protected Information under APP 3 had it been solicited.  If the answer to this is “no” and the Protected Information is not in a Commonwealth record, then it must be destroyed or deidentified as soon as practicable so long as it is lawful and reasonable to do so.[5]

If:

  • the Protected Information was solicited, or it was unsolicited but the company would have otherwise been able to collect it under APP 3;
  • the company no longer needs the Protected Information for any purpose which it may be used or disclosed;
  • the Protected Information is not contained in a Commonwealth record; and
  • the company is not required by or under an Australian law or Court/Tribunal order to retain the Protected Information,

then they must take all reasonable steps in the circumstances to destroy or deidentify the Protected Information.[6]

As a bare minimum, all companies should include the above APPs in their DDP, regardless of whether they come within the definition of ‘APP Entity’ in the Act and are required to comply with the APPs or not.

An additional circumstance which may be considered as an inclusion in a DDP is when the customer requests that their Protected Information be destroyed or deidentified, in which case it should be done as soon as practicable after the request but only if it is lawful and reasonable to do so.

The decision of whether the information should be destroyed or deidentified will depend on the circumstances  For example, if the information is contained in financial records that are required to be kept for seven (7) years, it may only be possible to deidentify the Protected Information.

How should the information be destroyed?

Paragraphs 11.7 to 11.10 of the Australian Privacy Principles Guidelines do not state what steps a company should take to destroy Protected Information but notes that it will depend on the size of the company, their resources and the complexity of its operations.

As a starting point, physical documents should be shredded and disposed of through garbage or recycling.  If the company has the ability to do so, it would be best to dispose of the documents in secured recycling bins that are taken to a secured facility offsite for shredding and recycling.  Of course what is important is that however the information has been destroyed those who are responsible for this task need to keep admissible evidence of their actions just in case it is needed at some point in the future.

Electronically stored documents should be destroyed by:

  • completely removing the Protected Information from the hard drive;[7]
  • irretrievably destroying the Protected Information; or
  • instructing a third party provided of a cloud-based service to irretrievably destroy the Protected Information and verify that this has occurred.

However, it is done, the APP Entity needs to be confident that the Protected Information can no longer be accessed.

For example, in Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34 (Commissioner v Uber) the Commissioner determined that Uber Technologies, Inc., and Uber B.V. (Uber) did not take reasonable steps to destroy or deidentify Protected Information as:

  • the files containing the Protected Information were not part of the system which automatically deleted files after a specified period;[8]
  • there was no evidence that Uber had in place policies or procedures for destroying or deidentifying Protected Information;[9]
  • Uber was not aware that the files existed;[10]
  • there was a serious foreseeable risk of the Protected Information getting into the wrong hands;[11] and
  • there were multiple deficiencies in Uber’s system’s information handling practices.[12]

Takeaways

Even if you have every possible security measure in place to prevent any Protected Information from being accessed by unauthorised persons, having a DDP will show that you have taken steps to ensure that the any information that is no longer required by your business is destroyed or deidentified as soon as possible.

Links and further references

Related articles

International companies can be bound by Australian privacy laws

Are your privacy practices compliant with the amended Privacy Act 1988 (Cth)?

Privacy Compliance Toolbox

Uber breaches Australian privacy laws

Legislation

Privacy Act 1988 (Cth)

Australian Privacy Principles

Australian Privacy Principles guidelines

Cases

Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34

Further information

If you need advice on what to include in your data destruction policy contact us for a confidential and obligation free discussion:

 

Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
Telephone: (07) 3221 0013 (Preferred)
Mobile: 0419 726 535
e: mburrows@dundaslawyers.com.au

 

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

[1] APP 4.3 and 11.2.

[2] Act, sections 6, 6C and 6D.

[3] APP 4.

[4] APP 11.

[5] APP 4.3

[6] APP 11.2

[7] Refer to ‘Media sanitisation’ on page 75 of the Australian Government Information Security Manual for details on how this should be done.

[8] Commissioner v Uber at [106].

[9] Ibid at [108].

[10] Ibid.

[11] Ibid at [110].

[12] Ibid at [109]-[110].

Send this to a friend