Retention and deletion of PI collected during COVID-19

OAIC has published a new guidance on retention and deletion of personal information (PI) collected during the COVID-19 pandemic. As restrictions continue to ease, entities should take stock of personal information they hold and assess whether it is necessary to continue to collect and retain PI. Australian Privacy Principles 11.1 and 11.2 require that reasonable steps be taken to protect personal information and personal information be destroyed or deidentified once it is no longer needed. If information is stored electronically, such as in cloud-based storage, servers, USBs or with a third-party provider, you should ensure that the digital records are permanently destroyed, including in any back-up system or offsite storage. It is also important to consider whether employees require any training to ensure that personal information is securely destroyed. Access the Guidance here.