Deletion of personal information

16.44 Several submissions to the Issues Paper noted that the harm caused by a serious invasion of privacy in the digital era will often increase the longer private information remains accessible.[58] It is therefore important that individuals be able to exercise a degree of control over their personal information, especially information that they may themselves have provided previously. In particular, individuals should be empowered to have their personal information destroyed—or, at a minimum, de-identified—when appropriate.

16.45 In the Discussion Paper, the ALRC proposed that a new APP be inserted into the Privacy Act, that would:

  • require APP entities to provide a simple mechanism for an individual to request destruction or de-identification of personal information that the individual had provided to the entity; and

  • require APP entities to take reasonable steps in a reasonable time to comply with such a request, subject to suitable exceptions, or to provide the individual with reasons for non-compliance.

16.46 The ALRC argued that the proposed APP would complement existing APPs that require APP entities to correct personal information (the correction principle)[59] and to destroy or de-identify personal information when it is no longer required for a relevant purpose (the security principle).[60] Although the existing APPs provide some protection, they do not incorporate a mechanism allowing individuals to request destruction or de-identification.

16.47 The proposal was supported by a number of stakeholders.[61] Others were opposed to it,[62] noting the existing correction and security principles[63] and the need to retain personal information for business purposes, such as billing.[64] Some stakeholders were not opposed to the proposal, subject to particular concerns being met.[65]

16.48 The OAIC opposed the proposal. The OAIC noted that it would not be relevant to most information held by Australian Government agencies due to the retention requirements of the Archives Act 1983 (Cth). The OAIC also noted that, in addition to the existing correction and security principles, other principles restrict the circumstances in which an APP entity may collect or disclose information:[66]

The requirement in the proposed APP for an organisation to destroy or de-identify the personal information, in circumstances where the organisation is still authorised to use or disclose it under the Privacy Act … has the potential to impose a significant burden on the organisation and disrupt its business practices. The OAIC considers that the existing measures in the APPs balance the need to give an individual control over the handling of their personal information with the regulatory burden on entities when carrying out their functions and activities, and that the additional burden in the proposed new APP is unjustified and unnecessary.[67]

16.49 The OAIC also submitted that, rather than introducing a new APP into the Privacy Act, the OAIC could

issue additional guidance on an entity’s obligations under the existing APPs to destroy or de-identify personal information and good privacy practice when an individual requests the entity to destroy or de-identify their personal information.

16.50 The ALRC accepts that the existing APPs require the destruction or de-identification of personal information in many circumstances. However, there are scenarios in which an APP entity may be able to retain personal information even after the individual has ceased their business relationship with the APP entity. For example, if the purpose of the collection includes the APP entity’s own statistical research, it is not clear that the entity would be required to destroy or de-identify the information unless and until the research was concluded, regardless of the duration or purpose of the research.

16.51 However, the ALRC accepts that the introduction of a new APP may require further consideration of the existing APPs, and that the effect of the recent reforms of the Privacy Act should be determined before further reforms take place.[68] The ALRC is not, therefore, recommending the introduction of a new APP. The ALRC remains concerned, however, that the existing APPs do not require an entity to provide a simple mechanism allowing an individual to request the destruction or de-identification of personal information.