8.1 An agency or organisation must take reasonable steps to:
(a) protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure; and
(b) destroy or render non-identifiable personal information if it is no longer needed for any purpose for which it can be used or disclosed under the UPPs and retention is not required or authorised by or under law.
8.2 The requirement to destroy or render non-identifiable personal information is not ‘required by law’ for the purposes of the Archives Act 1983 (Cth).
Note: Agencies and organisations also should be aware of their obligations under the data breach notification provisions.