Privacy Law and Policy Reporter
Nigel Waters and Graham Greenleaf
This is the second in a series which examines the interpretations of similar information privacy principles (IPPs) by Courts, privacy and information Commissioners and other sources of interpretation, with an emphasis on legislation in Australian jurisdictions and caselaw from Asia-Pacific jurisdictions. The first in the series was on the security principle (see (2004) 11(3) PLPR 67). (General Editor)
Most privacy laws contain a principle dealing with the retention and disposal of personal information. In some laws it stands alone as a separate principle, while in others it is found within the security principle.
Most organisations subject to privacy law retention and disposal principles will have to reconcile their specific obligations in relation to personal information with general retention and disposal obligations under other laws, and this interaction is a major focus of the following discussion.
The principles in Australasian privacy laws that deal with retention and disposal are all very similar in effect though there are significant differences in the way they are expressed – some approaching from the retention end and some from the disposal perspective.
The first set of legislated principles – the Information Privacy Principles or IPPs in the federal Privacy Act 1988 – did not contain any provisions concerning retention or disposal. Despite the absence of an express retention and disposal principle, the Australian Federal Commissioner made several references to an implicit requirement in reports of investigations and audits in the first ten years of operation of the Act .
The New Zealand Act, a few years later, introduced a separate retention principle:
“Principle 9: Agency not to keep personal information longer than is necessary
An agency that holds personal information shall not keep that information for longer than is required for the purpose for which the information may lawfully be used.”
The NSW law includes provisions relating to retention and disposal as the first part of a retention and security principle:
“A public sector agency that holds personal information must ensure:
(a) that the information is kept no longer than is necessary for the purpose for which the information may lawfully be used (emphasis added - editor), and
(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, ...”
In the private sector NPPs, introduced into the federal Privacy Act in 2000, the Data Security principle includes:
“4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2.”
This formulation is also used in the Victorian and Northern Territory laws.
The Data Protection Principles (DPPs) in the Hong Kong Ordinance include a further variation of the negative formulation:
“Personal data shall not be kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used”
The HK Ordinance also contains a positive formulation in s26(1):
‘‘A data user shall erase personal data held by the data user where the data are no longer required for the purpose (including any directly related purpose) for which the data were used unless-
(a) any such erasure is prohibited under any law; or
(b) it is in the public interest (including historical interest) for the data not to be erased.’
A novel provision in s26(2)(b) provides that the ‘data user shall not be liable in an action for damages at the suit of the second-mentioned data user in respect of any such erasure’. This protects data users against claims that by erasing a person’s persons data (possibly to the prejudice of the person) they have therefore breached the security principle – provided that all purposes for which the data was used have expired.
The Canadian federal law applying to the private sector – the Personal Information Protection and Electronic Documents Act also has a negative general obligation:
“Personal information shall be retained only as long as necessary for the fulfilment of (the purposes for which it was collected)” (Principle 4.5),
but goes further in prescribing detailed positive requirements:
“Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods”. (Principle 4.5.2), and
“Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.” (Principle 4.5.3)
Canadian commentators debate the merits of including such non-mandatory (‘should’) statements in the legislation .
The Canadian federal public sector Privacy Act 1985 contains both retention and disposal principles (in s.6) but both are only made operational by specific regulations or ministerial guidelines or directives. The objective of the retention regulations , which require retention for at least two years after the last administrative use, is to ensure that personal information is available to the individual to whom it pertains if requested.
In some sectoral legislation such as the credit reporting provisions of the Privacy Act 1988 (Cth) Part IIIA there are detailed deletion principles with specified time limits for retention of categories of information . The statutory Tax File Number Guidelines issued by the Australian Federal Commissioner under the same Act contain a permissive rule – “Tax file number recipients may dispose of tax file number information when it is no longer required by law nor administratively necessary to be retained.”
In terms of subordinate legislation, the Hong Kong Privacy Commissioner has issued Codes of Practice in areas such as Consumer Credit Data and Human Resources Management which in some cases specify periods of retention for specific categories of data. The main Codes issued by the New Zealand Privacy Commissioner , and those approved by the Australian Privacy Commissioner , do little more than re-state the retention principles in their respective Acts, except for the draft NZ Credit Information Privacy Code 2003 which prescribes specific retention periods as in the Australian Credit Reporting regime .
No ‘reasonable steps’ qualification in some Acts
Unlike many of the other privacy principles, the retention and disposal obligations are not qualified in some Acts (NSW, NZ, HK and Canada) so as to require only ‘reasonable’ or ‘reasonably practicable’ steps – the obligation is expressed in absolute terms. The ‘reasonable steps’ qualification in principle 4.2 (Australian private sector, Vic, NT) is the exception to this.
It will be interesting to see if the regulators and the Courts import a ‘reasonable steps’ consideration into their enforcement of this principle where it is not expressly provided. Where organisations have very large data collections, particularly on paper or in legacy databases, it may be extremely costly to set up regimes to identify when each individual data item passes its ‘no further use’ date. In these cases, if organisations have procedures for periodically reviewing and culling data according to some generic rules, it would be surprising if the fact that specific data items were not immediately culled resulted in breaches of this principle being found.
Sources of interpretation
Even with an apparently unambiguous obligation, organisations subject to a privacy law are understandably uneasy about what compliance means in practice. They will look ultimately to decisions of tribunals and courts for the standards required in different circumstances.
While there are a few Court and Tribunal decisions available, organisations have also had to relyon the opinions of the regulators as expressed in guidance material, in the reports of conciliated cases published by some Privacy Commissioners, and in the reports of special investigations and audits conducted by those Commissioners who have those functions . These are considered in the rest of this paper.
Some guidance may also be found in textbooks on regional privacy laws .
It is important to recognise that there are two possible options once a deletion principle takes effect on personal information. The first is deletion or destruction, but there is also a second option – de-identification.
The identical disposal principles in the Australian private sector, Victorian and NT laws explicitly includes anonymisation (‘permanently de-identify’) as an alternative to destruction of personal data, whereas the principles in other laws do not. However, the other laws say that organisations shall not ‘keep’ ‘personal information’ (not ‘records’) longer than is necessary, and it can be argued that personal information is not ‘kept’ if it is permanently de-identified, because then the information that remains will not satisfy the definition of ‘personal information’ (it will not be capable of being used to identify the person). If this is so, then all retention principles allow both destruction of records and de-identification of personal data as methods of compliance.
The Australian Privacy Commissioner’s NPP guidelines take a similar approach, stating that de-identification ‘means that an organisation is not able to match the de-identified information with other records to re-establish the identity of people’
The Australian Privacy Commissioner has dealt specifically with the interaction of destruction and de-identification in Guideline 3 of the Medicare and Pharmaceutical Benefits Programs Privacy Guidelines 1997.
There is a whole area of debate about what is actually meant by de-identification, as it is often at least theoretically possible to re-identify at least some individuals from other details, particularly by someone with special knowledge. But this issue will not be pursued further in this paper.
Relationship to other retention requirements
There should always be a retention period, and associated disposal, directly associated with the original purpose of collection of any personal information. In some cases this will derive solely from the business needs of the organisation that holds the information, and in others from associated legal requirements, which may include statutory obligations, but also prudential and other defensive reasons, such as to protect against future litigation.
All privacy laws accept the proposition that the justification for retention may be unrelated to the original specific purpose of the organisation holding personal information. This is usually expressed in two ways. Firstly by linking the disposal requirement to any purpose permitted by the use principle, which invariably includes both secondary related purposes and unrelated ‘public interest’ uses. Secondly by a general ‘or otherwise authorised or required by or under law’ exception.
The one exception to the first norm is the Canadian private sector law, which allows retention only for a purpose of collection (emphasis added - editor), and not for other purposes even where they are permitted under the use principle. This is potentially a very important distinction, as it means that personal information will only be available for unrelated third party purposes during the period for which it can be justified by reference to the original purpose, unless there is a specific retention requirement for those other purposes. In contrast, the other laws allow personal information to be retained solely for the other purposes, provided they can be justified under the use principle.
There are as yet insufficient examples to indicate the extent to which Privacy Commissioners are allowing information to be retained for hypothetical future uses which may be ‘authorised or required by or under law, and no case law of consequence, but there is an obvious danger of abuse of the retention principle by such practices. It is submitted that it cannot be the correct interpretation of these retention principles that the hypothetical demands of third parties can justify retention beyond any retention that is justified by the interests of the data controller, because such an interpretation would make retention provisions meaningless as protectors of privacy.
A good topical example would be the retention of customer information, say call charge records by a telecommunications provider, beyond the period for which there is a commercial justification, on the basis of a perceived need to assist law enforcement agencies – a secondary use and disclosure which is permitted under most privacy laws. This specific issue of retention of telecommunications traffic records has been hotly debated in the context of international conventions on Telecommunications Privacy and Cybercrime  .
In Australia, the Internet Industry Association has proposed a Cybercrime Code of Practice which would set standards for retention of traffic data by Internet Service Providers. While controversial, the Code, if it could be agreed, could provide useful guidance on how to balance requirements in privacy and other laws.
Other legal requirements will normally prevail...
Where there is a specific requirement in another law for retention of personal information, that will normally ‘trump’ the disposal principle in a general privacy law.
There are many such statutory retention requirements. Most public sector agencies are subject to Public Records or Archives Acts which generally require retention of many categories of records, and also impose a disciplined and systematic approach to disposal. Many private sector businesses are subject to record-keeping and retention requirements in financial and corporate regulations, while similar obligations in relation to environmental regulation, health and safety and industrial relations can apply across both public and private sectors.
It would be easy for managers to take the view that a combination of specific requirements, general ‘due diligence’ obligations and overall prudence in anticipation of future complaints or litigation combine to justify a general policy of keeping most records indefinitely. Certainly this would seem to be the advice that many businesses are receiving in relation to E-mails, telephone records and general customer transaction records.
... but only if specific
But it would be unwise for agencies or organisations to assume that a general record retention requirement, whether statutory, common law or otherwise, will have the effect of trumping disposal obligations in privacy laws if the former requirement does not expressly address the issue of personal information.
It is quite possible to reconcile in theory a general record retention provision with the disposal of personal information principle by selective editing. However the difficulty or cost of doing so would normally make such a step unreasonable, and a judgement will be needed as to which requirement should prevail.
In GR v Dept of Housing  NSWADT 268, the NSW ADT considered the interaction of the State Records Act 1998 (SRA) and the disposal principle in PPIPA (IPP 5, s.12). Section 12(1) of the SRA provides that “Each public office must make and keep full and accurate records of the activities of the office”. s21(7) of the SRA provides that an Act enacted after the commencement of the section “is not to be interpreted as prevailing over or otherwise altering the effect or operation of this section except insofar as that Act provides expressly for that Act to have effect despite this section”.
The NSW Privacy Commissioner submitted to the ADT that the State Records Act and the Privacy Act should be read together in harmony, and that there are several provisions in the PPIPA that show an awareness of possible conflict with the SRA and suggest that there was an intention to reduce or minimise such conflict.
Two of the provisions referred to by the Commissioner support the view that the PPIPA Act authorises alteration, and by implication deletion, of records where necessary. Section 20(4) expressly states that the correction principle (IPP8, s.15) applies despite the SRA. Section 25(b) of PPIPA, which provides an exemption from many of the IPPs where non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including, expressly the State Records Act 1998) (emphasis added - editor), does not apply to the disposal principle IPP5, which must therefore be presumed to prevail.
The respondent in GR submitted that the Tribunal should read down section 15 of the Privacy Act (when it is read with the State Records Act) so as to hold that the only “amendments” that can properly be made pursuant to section 15(1) are notations made pursuant to section 15(2) of the Privacy Act (ie: that deletion was not an option). The Tribunal was not prepared to give section 15 that operation but did not consider it needed to resolve the issue of the operation of the two statutes in the present case. This was because the photographs at issue were in the Tribunal’s view clearly relevant to the respondent’s functions in maintaining a file on the applicant’s tenancy history.
Justification for retention
In a 1996 case,  NZPrivCmr 3 (Case Note 5532), the NZ Privacy Commissioner formed the view that an employer was entitled to keep information about a proposed dismissal (subsequently withdrawn after resolution of a grievance involving the employee’s resignation) against the possibility of further legal action. The employer’s standard practice was to retain personnel files for a period of five years after an employee had left.
Two years later, in another case,  NZPrivCmr10 (Case Note 13066), the NZ Commissioner again supported an employer’s right to retain adverse personnel information, notwithstanding an agreement to remove it from the employee’s active personnel file. The Commissioner agreed that the employer had a ‘lawful purpose’ for retaining in another place the information which had been removed from the file, since it might have been relevant to the employee’s continued suitability. The agreement to remove the information from the personal file had not specified what would happen to it and there was no record of an agreement to destroy the information or refrain from using it in the future.
Ad hoc disposal or policies required?
The only decision to date on retention and disposal under the Australian Privacy Act 1988 , the 2004 determination by the Privacy Commissioner on the operation of a tenancy database service (TICA Default Tenancy Control Pty Ltd or TICA), has sent an important message about the need for compliance with the retention principle. In Complaint Determination No. 3 of 2004, the Australian Federal Privacy Commissioner found that TICA had breached NPP 4.2 by failing to take reasonable steps to destroy or de-identify personal information. TICA was removing out-of-date personal information to a ‘dead tenants’ database’. The Commissioner found this step to be “not reasonable in the circumstances for the following reasons:
• TICA does not appear to have in place reasonable measures to decide when personal information is out-of-date;
• TICA does not appear to take any steps to destroy (as opposed to move) personal information that is out-of-date; and
• Although the ‘dead tenant database’ is only available to TICA, and is not disclosed outside of the organisation, it does not de-identify the information it contains.”
While the Commissioner took the view that his Determination could not specify appropriate retention periods, he made accompanying ‘recommendations’ which included a maximum of four and three years respectively for tenancy history and enquiries information; and deletion of information moved to the ‘dead tenant database’ (that is the database which stores deleted listings) not less than once a month (He believed it is acceptable to hold information temporarily in the ‘dead tenant database’ to ensure that information which is ‘accidentally’ deleted can be retrieved).
This TICA determination also illustrates the close relationship between the retention and disposal and data quality principles. The Commissioner’s findings, in the same Determination, about quality (fitness for purpose) were a pre-requisite for the finding about retention and disposal.
The NSW law has so far not proved as powerful in requiring positive retention and disposal policies. In FH v NSW Department of Corrective Services  NSWADT 72, the applicant – a former prisoner - argued that inmate records should not be retained at all once they leave the prison system and especially where their conviction had been quashed (as it had in his case). However, the Tribunal accepted the respondent’s justifications for retaining ex-inmate records, even though they were not laid down in any considered policy. They included the possibility of litigation, the use of records by police as an intelligence resource and the need for information regarding custody where the former inmate re-enters the correctional system. The Tribunal found that the period of retention to date was not unreasonable having regard to those reasons. The respondent acknowledged that ‘at some point’ it would require a policy on long-term record retention and disposal, but the Tribunal did not take the opportunity to mandate this.
In contrast, the Canadian private sector law makes it much easier to hold an organization to account as it requires not just an appropriate retention decision in individual circumstances, but also a specific retention policy. Three cases illustrate its application, and support the conclusion reached by the Australian Commissioner in the TICA case.
In  PrivCmrCan PIPEDA Case Summary #52, the Canadian
Commissioner determined that the respondent company had not previously had retention and deletion policies in place, and had therefore failed to meet its obligations under Principles 4.5.2 and 4.5.3.
In  PrivCmrCan PIPEDA Case Summary #255, the Assistant Commissioner found that while an airport authority had policies regarding the destruction of information, there were none dictating the length of time that information can be kept. The authority kept the information it collected for restricted area passes for all employees in the event that some who leave may return to the airport to work. Although the authority thought it was saving steps by keeping this information, the authority also acknowledged that a new application form would have to be filled out and a new photograph possibly taken should a former employee return to the airport to work. Therefore, the Assistant Commissioner did not think that such a practice fulfilled any purpose, and she found the authority in contravention of Principle 4.5.
In  PrivCmrCan PIPEDA Case Summary #73 the Canadian Commissioner determined that a telecommunications company’s practices with respect to the retention of personal information were inconsistent. The company lacked a policy and procedures, and in default, granted its managers considerable discretion with respect to which documents should be held on file. The Commissioner found the complainant’s expectation that there be a degree of consistency regarding retention practices perfectly reasonable. As a result of the inconsistency, the Commissioner made a finding of a breach of the data quality principle.
Compliance with retention and disposal policies
Assuming organisations have a retention and disposal policy in place, whether statutorily prescribed or developed in-house to meet a general obligation, they will also be held to account for ensuring that the policy is followed.
The Australian Federal Privacy Commissioner has periodically reported on the results of audits which revealed failures to follow clearly set-out policies.
The retention/disposal principle does not excuse premature disposal, which may breach the security principle if a prejudices a person’s interests.
The NZ Commissioner, in  NZPrivCmr15 (CN 3984), expressed serious concern about the destruction of information that was the subject of an access request under rule 6 of the Health Information Privacy Code 1994. A hospital, having edited a nine-hour video to a three to five minute segment to respond to an access request, erased the remainder of the tapes. The hospital said it was ‘standard practice’ to reuse tapes after editing the relevant information, but the Commissioner proceeded to investigate a possible breach of the security rule in the Code, on the grounds that the destruction breached the requirement for reasonable security against loss. The case was settled, with a compensation payment, before any finding, but illustrates how the retention and security principles can interact to require continued storage.
However, two other cases under the same law show that if an organization can demonstrate that it has a well argued case for a particular period they will satisfy the principle, notwithstanding that the disposal proves inconvenient for particular individuals.
In  PrivCmrCan PIPEDA Case Summary #157, the complainant believed that it was wrong of a credit reporting agency to have destroyed past records reflecting a more positive period in his credit history. However the Canadian Privacy Commissioner accepted the premise that that a credit reporting agency’s essential purpose was to provide credit grantors with current information on the financial performance of credit applicants. He was satisfied that the six-year retention period adopted by the agency in observance of provincial legislation was adequate for the fulfilment of that purpose. He was also satisfied that the company did have in place appropriate guidelines and procedures regarding the retention of personal information. He found therefore that the agency was in compliance with the relevant Principles.
In  PrivCmrCan PIPEDA Case Summary #252 however, the Assistant Canadian Privacy Commissioner found that a bank was entitled to dispose of acknowledgement letters since the information contained in them existed elsewhere in the bank’s records – the principle applies to the information not the specific document. The principle in the Canadian private sector law makes it easier for an individual to insist on retention, by expressly requiring specification of minimum as well as maximum retention periods. But as in the cases under the NZ law, it seems regulators will generally leave the length of the retention period up to the organization concerned to decide.
Guidance on retention periods
Guidance on appropriate periods will gradually emerge from Court and tribunal rulings and, more likely, from rulings and case studies from regulators.
In an incidental finding in an access case,  PrivCmrCan PIPEDA Case Summary #32, the Canadian Commissioner noted that the respondent company routinely destroyed supervisors’ files, in accordance with the company’s retention-and-disposal policy, two years after termination of employment.
The Australian Federal Privacy Commissioner, in his guidance on the operation of the Credit reporting provisions of the Privacy Act 1988 (Cth), has specified 12 months as a reasonable minimum period for which rejected credit application be maintained – to tie in with the period beyond which the Commissioner can decline to investigate a complaint.
The same Commissioner’s ‘suggestions’ in the TICA determination have already been mentioned.
The Internet poses some new problems in relation to personal information which it was permissible to place on an Internet website but the uses of which have now finished. Even though an organization may remove the information from its website, a copy of it may still be found in the archives of Internet search engines (and general archives such as the WayBack Machine / Internet Archive . If the personal information could properly be disclosed to the Internet search engine / archive, then the organisation disclosing it will not normally be responsible for the archive deleting it. However, where there has been any wrongful disclosure of information, or breach of security, the organisation may have to seek deletion from the search engine or the archive operator . Publication, whether on the Internet or by other means, also brings into play the provisions of some privacy laws relating to publicly available information. Some laws exempt such information altogether, while others modify the operation of the Principles.
Privacy case law in several jurisdictions is gradually throwing some light on what matters organisations are expected to consider under privacy laws in making decisions on retention and disposal of personal information. Research for this article has only looked at a selection of the case law available, and further guidance may be available from other cases. As the body of case law builds up and is summarised, organisations can expect to obtain a clearer view of their obligations, both generally and in a variety of specific circumstances.
 Including Annual Report 1994-95, pp67-68 unfair retention of irrelevant psychological assessment); p147 (failure to follow Archives Act disposal schedule); p183 (failure to keep register of requests); AR 1998-99, p67 (employment service providers retaining jobseeker records in breach of rules)
 Privacy Act 1993 (NZ) s.6 – Principle 9
 Privacy and Personal Information Protection Act 1998 (NSW), s.12. – known as Information Protection Principle (IPP) 5. Inexplicably, investigative agencies are expressly exempted by s.24(7) from the requirement of s.12(a).
 Privacy Act 1988 (Cth) Schedule 3, Clause 4 – known as National Privacy Principle (NPP) 4.
 Information Privacy Act 2000 (Vic), Information Privacy Principle (IPP) 4.2
 Information Act (NT), Information Privacy Principle (IPP) 4.2
 Personal Data (Privacy) Ordinance 1995, Schedule 1, Data Protection Principle (DPP) 2(2)
 ch S Perrin, H Black, D Flaherty and M Rankin The Personal Information Protection and Electronic Documents Act - An Annotated Guide Irwin Law, Toronto, 2001, [4.5.3]
 Privacy Regulations [SOR/83-508]
 Eg: Privacy Act 1988 (Cth) s.18F.
 Tax File Number Guidelines 1992, Guideline 6.2.
 See http://www.pco.org.hk/english/publications/files/CCDCode_eng.pdf
 See http://www.pco.org.hk/english/ordinance/files/hrdesp.pdf
 Telecommunications Information Privacy Code 2003 ; Health Information Privacy Code 1994 (as amended) – see http://www.privacy.org.nz/comply/codes.html
 See http://www.privacy.gov.au/business/codes/index.html#1
 Proposed Credit Information Privacy Code 2003, Rule 9 and Schedule 1.
 The Australian Federal Privacy Commissioner has an express audit function in relation to public sector agencies, credit providers and tax file number recipients, although the audit program has been cut back drastically in recent years due to resource constraints. The Victorian Privacy Commissioner also has an audit function which he has started to exercise in accordance with an Audit Manual published in 2004. All Privacy Commissioners are able to conduct special investigations and make special reports, although the parameters vary between jurisdictions.
 These include M Berthold & Wacks  Hong Kong Data Privacy Law, 2nd Edition Thomson Sweet & Maxwell; and Perrin, Black, Flaherty and Rankin  The Personal Information Protection and Electronic Documents Act - An Annotated Guide Irwin Law, Toronto,
 Privacy Commissioner ‘Guidelines to the National Privacy Principles’, 2001, p.46.
 See http://www.privacy.gov.au/publications/mapbp.pdf
 See the European Union Directive 2002/58 on Privacy and Electronic Communications, Article 6, at http://europa.eu.int/comm/internal_market/privacy/law_en.htm and the Council of Europe Cybercrime Convention at http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
 See http://www.iia.net.au/cybercrimecode.html - particularly clause 7.
 Annual Report 1992-93 p12 (tax file number information unnecessarily retained after use); AR 1993-94, p67 (unnecessary retention of tax file numbers on AUSTUDY forms); AR 1995-96, p195 (failure to follow statutory destruction requirements for Medicare and Pharmaceutical Benefits claims information)
 Only the HK ordinance gives any protection against this potential breach of security, through s26(2).
 See Credit Reporting Advice Summaries 11.8, Retention of Credit applications, at http://www.privacy.gov.au/publications/casw6.pdf
 See http://www.archive.org/
 See Complainant v Statutory Entity  VicPCmr 3, summarised at (2004) 11 PLPR 76