Considerations For Creating Your Data Retention Strategy

The last few years have seen a shift from data being the new oil to data holdings being valuable but also representing an organisational risk. Optus, Medibank, and Latitude Finance data breaches demonstrate very clearly the issues that can arise from the over-collection and storage of personal information.

Your company’s data retention policy is one key governance piece supporting better data management, including data minimisation. In this post, we’ll share some considerations worth considering when creating or reviewing your organisation’s data retention strategy. 

Devising Appropriate Data Retention Periods

The data you collect and store should be kept for as long as it serves the business purposes for which it was collected, or to meet your legal and compliance obligations and no longer (usually). 

Once the data no longer serves these purposes, it’s best to either de-identify it if it is personal information or delete or destroy it – unless you are required to keep it for legal compliance purposes or unless the customer asks you to keep it. 

These are some of the elements that need to be weighed in developing an appropriate data retention strategy: 

  • Risk from a data breach.

The Latitude Financial breach exposed the organisation’s poor data retention practices, with customer data that was almost 20 years old having been stolen in the cyber attack in 2023. These poor data retention practices likely contributed to the breach becoming one of Australia’s largest data breaches of all time.  The more information your organisation holds, the larger the potential impact of a data breach and the more complex it will be to appropriately interact with affected individuals.  How do you contact someone you last interested with 20 years ago? 

  • Compliance. 

Australia’s OAIC recognises the importance of data minimisation as a key component of privacy compliance programs.This is reflected in the current OAIC regulatory priority on data retention: 

“The OAIC will prioritise regulatory action where there may be serious failures to take reasonable steps to protect personal information, the use of inappropriate data retention practices or failures to comply with reporting requirements of the Notifiable Data Breaches Scheme, particularly where risks and mitigations have previously been publicised by the OAIC.

While the personal information security practices of the finance and health sectors will continue to be areas of particular focus, as the top two sectors reporting breaches, the OAIC will take an economy wide interest in data retention practices.”

Briefly, some other considerations include: 

  • Costs. Data retention is expensive, and so is managing masses of data. Eliminating data you aren’t using can reduce the costs of storage, backups, IT costs, and cloud infrastructure. For the rest, it’s worthwhile running a cost-benefit analysis. 
  • Higher-quality data. Your data retention strategy should reflect the diminishing accuracy of data over time. 
  • Scalability. Your organisation is likely to collect more data as it grows. You’ll benefit from retaining data in a way that promotes agility and intelligent business decisions.
  • Reduced attack surface. Less data, especially less sensitive data, means less risk of a data breach. Higher volumes of data are attractive to attackers, which is likely why we’re seeing an increase in attacks on healthcare industry companies (like the Medibank and MediSecure breaches). 

Record types

An important part of any data retention program is recognising the different types of records that your organisation might collect, and ensuring you have rules for those different records types.  This will help all employees differentiate between emails that don’t need to be retained and financial records (for instance) that typically need to be retained for 7 years.

One approach might be to recognise the following record types:

Once these different record classifications have been identified, you can create general reviews such as:

  • All Records and Master Records must be stored in the identified system of record and retained according to established retention and deletion rules
  • Transitory Record must be deleted by the expiration of the deletion period identified for that record
  • Non-Records or ROT Dta should be deleted as part of routine administrative practices (e.g. email deletion and archiving).

Determining retention requirements

Retention and deletion requirements must be considered by organisations within the broader context of the  legislative, regulatory, best practice and community environment that they operate in.   Some of the issues to be considered in the determination of retention and deletion requirements include:

Taking a structured approach to retention and deletion of data ensures that an organisaton’s data retention and deletion practices are comprehensive, compliant, and considerate of all relevant factors.

Other Timing Considerations

Some organisations tend to err on the side of retaining data instead of deleting it, even once the original purpose for collection has lapsed and where there is no legal obligation to keep the data. 

Here are some timing considerations we’ve found helpful: 

  • Consider retaining data used for system improvements and analysis for five weeks. This allows for a month-over-month analysis and the data can then be transformed and stored as reporting. 
  • Thirteen months is another common retention timeframe, since it allows for year-over-year analysis. 
  • Any data stored for longer than eighteen months (that isn’t required to be kept) should be subject to review at least annually. 

Note that these timing considerations don’t apply to data backups, we’re talking about timelines for deletion of personal information collected and used by your organisation. 

Customer Account Retention Strategy

One final consideration is customer accounts, if you allow your customers to create online profiles. We’re seeing an increase in organisations opting to delete customer accounts if the customer hasn’t logged in for a set period of time, typically a year. 

In practice, these organisations tend to email the customer letting them know that they haven’t accessed their account in some time and that it will be automatically deleted if they don’t log in. Typically the period before deletion is 30 days. 

Developing A Data Retention Policy

If you need assistance developing an appropriate data retention policy, reach out. Our experienced team of privacy professionals regularly works with organisations to build more mature privacy programmes, and we are ready to work with you. 

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.