Contact

Considerations For Creating Your Data Retention Strategy

Published
07 Aug 2024
Read time
6 min read
Category
Privacy, Privacy Practice

The last few years have seen a shift from data being the new oil to data holdings being valuable but also representing an organisational risk. Optus, Medibank, and Latitude Finance data breaches demonstrate very clearly the issues that can arise from the over-collection and storage of personal information.

Your company’s data retention policy is one key governance piece supporting better data management, including data minimisation. In this post, we’ll share some considerations worth considering when creating or reviewing your organisation’s data retention strategy. 

Devising Appropriate Data Retention Periods

The data you collect and store should be kept for as long as it serves the business purposes for which it was collected, or to meet your legal and compliance obligations and no longer (usually). 

Once the data no longer serves these purposes, it’s best to either de-identify it if it is personal information or delete or destroy it – unless you are required to keep it for legal compliance purposes or unless the customer asks you to keep it. 

These are some of the elements that need to be weighed in developing an appropriate data retention strategy: 

  • Risk from a data breach.

The Latitude Financial breach exposed the organisation’s poor data retention practices, with customer data that was almost 20 years old having been stolen in the cyber attack in 2023. These poor data retention practices likely contributed to the breach becoming one of Australia’s largest data breaches of all time.  The more information your organisation holds, the larger the potential impact of a data breach and the more complex it will be to appropriately interact with affected individuals.  How do you contact someone you last interested with 20 years ago? 

  • Compliance. 

Australia’s OAIC recognises the importance of data minimisation as a key component of privacy compliance programs.This is reflected in the current OAIC regulatory priority on data retention: 

“The OAIC will prioritise regulatory action where there may be serious failures to take reasonable steps to protect personal information, the use of inappropriate data retention practices or failures to comply with reporting requirements of the Notifiable Data Breaches Scheme, particularly where risks and mitigations have previously been publicised by the OAIC.

While the personal information security practices of the finance and health sectors will continue to be areas of particular focus, as the top two sectors reporting breaches, the OAIC will take an economy wide interest in data retention practices.”

Briefly, some other considerations include: 

  • Costs. Data retention is expensive, and so is managing masses of data. Eliminating data you aren’t using can reduce the costs of storage, backups, IT costs, and cloud infrastructure. For the rest, it’s worthwhile running a cost-benefit analysis. 
  • Higher-quality data. Your data retention strategy should reflect the diminishing accuracy of data over time. 
  • Scalability. Your organisation is likely to collect more data as it grows. You’ll benefit from retaining data in a way that promotes agility and intelligent business decisions.
  • Reduced attack surface. Less data, especially less sensitive data, means less risk of a data breach. Higher volumes of data are attractive to attackers, which is likely why we’re seeing an increase in attacks on healthcare industry companies (like the Medibank and MediSecure breaches). 

Record types

An important part of any data retention program is recognising the different types of records that your organisation might collect, and ensuring you have rules for those different records types.  This will help all employees differentiate between emails that don’t need to be retained and financial records (for instance) that typically need to be retained for 7 years.

One approach might be to recognise the following record types:

Once these different record classifications have been identified, you can create general reviews such as:

  • All Records and Master Records must be stored in the identified system of record and retained according to established retention and deletion rules
  • Transitory Record must be deleted by the expiration of the deletion period identified for that record
  • Non-Records or ROT Dta should be deleted as part of routine administrative practices (e.g. email deletion and archiving).

Determining retention requirements

Retention and deletion requirements must be considered by organisations within the broader context of the  legislative, regulatory, best practice and community environment that they operate in.   Some of the issues to be considered in the determination of retention and deletion requirements include:

Taking a structured approach to retention and deletion of data ensures that an organisaton’s data retention and deletion practices are comprehensive, compliant, and considerate of all relevant factors.

Other Timing Considerations

Some organisations tend to err on the side of retaining data instead of deleting it, even once the original purpose for collection has lapsed and where there is no legal obligation to keep the data. 

Here are some timing considerations we’ve found helpful: 

  • Consider retaining data used for system improvements and analysis for five weeks. This allows for a month-over-month analysis and the data can then be transformed and stored as reporting. 
  • Thirteen months is another common retention timeframe, since it allows for year-over-year analysis. 
  • Any data stored for longer than eighteen months (that isn’t required to be kept) should be subject to review at least annually. 

Note that these timing considerations don’t apply to data backups, we’re talking about timelines for deletion of personal information collected and used by your organisation. 

Customer Account Retention Strategy

One final consideration is customer accounts, if you allow your customers to create online profiles. We’re seeing an increase in organisations opting to delete customer accounts if the customer hasn’t logged in for a set period of time, typically a year. 

In practice, these organisations tend to email the customer letting them know that they haven’t accessed their account in some time and that it will be automatically deleted if they don’t log in. Typically the period before deletion is 30 days. 

Developing A Data Retention Policy

If you need assistance developing an appropriate data retention policy, reach out. Our experienced team of privacy professionals regularly works with organisations to build more mature privacy programmes, and we are ready to work with you. 

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.