Some parts of your organisation may want to know if they can collect more and more data and hold it for longer. However, given the increasing and significant fines for serious and repeated breaches of the APPs and the increasing costs of maintaining exponential growth in data holdings, the IT, data governance and information security functions of many organisations are increasingly pushing back. They wish to rationalise data holdings, remove legacy systems (especially those kept just to access certain legacy data), remove data duplication and slow the exponential growth in data holdings.
The challenge
Can you significantly reduce your costs of data storage, stop running redundant legacy systems and still comply with your legal obligations? In the face of concerns from key stakeholders that there could be contractual, legal and/or internal policy requirements prohibiting the deletion of the data, our recent challenge from a major Australian bank was to assess and determine if the bank could delete a significant amount of data (including 'personal information') and comply with all of its legal obligations in respect of the data.
In short, yes it could and, yes, you can too. In fact, you can actually improve your compliance.
The results (information security improvements and cost savings) achieved always exceed expectations and, to the delight of in-house legal/compliance, will make your organisation significantly more privacy law compliant in the process.
Privacy law actually requires deletion
In order to comply with privacy law organisations need to turn their traditional thinking and approach to data retention on its head, especially given the imminent increase in fines in Australia for serious and repeated privacy infringements to the greater of $10 million and 4% of group annual domestic turnover. That is, rather than keeping everything forever, organisations should start from the position that:
We will delete or de-identify all personal information immediately once used for the notified purpose(s) for collection, unless we are legally required to keep it for longer and, in such a case, we will then ensure that it is deleted or de-identified as soon as legally possible.
This approach has potentially significant cost savings, is security enhancing and helps you to achieve 'data efficiency' (i.e. overall benefits divided by overall costs of storing data). However, in order to do this your organisation will need to first know the data you collect and hold and the actual legal (not folklore) data retention periods for all of the types of data and records you collect and hold.
Of course, complying with the legal requirements around data rationalisation can be challenging in a resource-constrained business context and across a number of business units/divisions. Can IT professionals and legal/compliance professionals better align so as to manage IT spend and ensure compliance with data privacy and records retention requirements? Yes they can, as we have found on a number of occasions assisting a number of clients to do exactly this, but it often requires external assistance.
Holding on too long is not just costly, it breaches the law!
It's estimated that organisations around the world collectively waste trillions of dollars every year holding and securing data that they (i) no longer need and (ii) are no longer legally required to hold - including out-of-date information and personal information that, by law, must be deleted or de-identified. If you are storing large amounts of data, whether for your own business or on behalf of your customers, you should seriously consider 'de-cluttering' or rationalising your data. If that data includes personal information, by law you will likely need to delete or de-identify at least some of it.
Organisations and the enterprise technology vendors that serve them are often subject to a complex web of data/information regulation, folklore and customary practices ('it's what we have always done').The 'folklore' around data retention requirements, which can go unchallenged for years, is particularly insidious as it usually does not reflect actual legal requirements and is often in conflict with the organisation's actual legal obligation to delete or de-identify personal information. That is, not only is the organisation holding data for longer than legally required but, by doing so, where that data contains personal information, you are often in breach of the law and expose yourself to significant fines and the information security costs increase exponentially.
Through our work on a number of similar projects it is clear to us that there are numerous common misconceptions or misinterpretations as to exactly how long data needs to be retained (i.e. what we refer to as 'folklore'). This folklore is usually not challenged or considered in light of actual legal obligations. In fact, what is often overlooked is that retaining personal information contained in data/records (i.e. often the record itself) for too long is actually a breach of privacy law. The organisation has a positive obligation to take reasonable steps to delete or permanently de-identify personal information that is no longer needed for the notified purpose(s) for which it was collected (once any statutory retention periods have expired).
These data rationalisation projects also bring clarity to concerns around the retention of data because of possible litigation, claims, enquiries, etc where such might need 'old' data to be adduced as evidence. Contrary to the widely held belief, there is no issue (i.e. illegality) where information/records are deleted in accordance with an appropriate internal policy that complies with both the legal retention periods and the privacy law. That is, where there is no live or threatened dispute or enquiry it is permissible to delete the information once the relevant legal retention period has expired (and, as noted, legally you are obliged to where its personal information).
Given the significant cost savings and potential benefits of data rationalisation, combined with the need to comply with one's legal obligations, assessing both what data you (i) must and (ii) may delete is a sensible step. But, before you do, don't forget to first pin down what types of data you have (i.e. collect and hold) and the applicable legal retention and deletion requirements specific to that data to avoid deleting the wrong things.
Untangling the web of regulation and folklore
The important, and often overlooked, starting point in any consideration of data retention obligations is the legal obligation under privacy law to delete or de-identify personal information.
After helping clients to change the mindset of key stakeholders in the business on this (by understanding all applicable legal obligations), we then consider their data holdings and what specific legal retention requirements apply to their particular types of data/records, including in relation to cases where there is a claim, action or Government inquiry etc (or threat of any of such). Once any applicable retention periods/requirements expire, the obligation to delete or de-identify personal information becomes an overarching legal obligation on the organisation.
Although the required outcome of the bank we advised, for example, was relatively simple the issues to consider and stakeholder concerns were complex. A myriad of statutes at the State and Federal levels regulate document and record retention and destruction, with some requirements appearing to contradict one another. For example, tax and superannuation legislation sets out certain minimum retention periods applicable to a bank in certain circumstances, but not others, and these are often 'augmented' in the bank's internal policies.
However, irrespective of an organisation's policies, Australian privacy law requires that organisations delete or permanently de-identify any personal information if it is no longer required for the notified purpose(s) for which it was collected (e.g. as set out in the collection statement or privacy policy) and the specific applicable legal retention obligations/periods have expired.
Also, when navigating the various exceptions available under Australian privacy law, you need to consider the policy and strategic points of view. That is, just because you may avail yourself of an exception to the obligation to delete certain personal information, should you?
The tension between commercial and legal/risk imperatives
Underlying these issues is often tension in an organisation between compliance with legal/risk requirements, keeping everything 'just in case', and the commercial or IT department imperatives to reduce unnecessary expenditure (and the number of systems they have to maintain).
In some cases the organisation may also face broader pressures at an industry level and, in supporting them, one must be sensitive to any resource constraints and the often very public operating context. Also, different business units/parts of the business have different imperatives, concerns and goals in respect of data retention. However, the commercial imperatives of IT toward data rationalisation are actually supported by the privacy law obligations. Who knew complying with the law could save you money?
Key takeaways
All organisations hold significant amounts of data they do not need anymore, often contrary to their legal obligation to take reasonable steps to delete or de-identify personal information once used for the notified purpose(s) of collection. A data rationalisation review is the perfect opportunity to 'kill [numerous] birds with one stone': save costs and time, improve information security and data handling efficiencies and better comply with your legal (including privacy) requirements.
The benefits of data rationalisation are that organisations get a much clearer view of how to manage their data and document retention going forward and the basis for what data they hold and a justifiable position vis-à-vis key stakeholders as to why (sometimes contrary to contractual terms) the deletion/de-identification of data is (legally) required. In addition, where it results in significant data (especially on legacy systems) being deleted, the cost savings and compliance uplift can be very significant.
Its time to reconsider you approach to data retention, rationalising your data holdings while uplifting compliance with privacy law and significantly reducing your data costs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
