In July, OAIC published guidance on the retention and deletion of personal information (PI) collected during the COVID-19 pandemic. Organisations should take stock of the personal information they hold and assess whether it is necessary to continue to collect and retain PI.
Australian Privacy Principles 11.1 and 11.2 require that reasonable steps be taken to protect personal information and personal information be destroyed or de-identified once it is no longer needed.
If information is stored electronically, such as in cloud-based storage, servers, USBs or with a third-party provider, you should ensure that the digital records are permanently destroyed, including in any back-up system or offsite storage.
It is also important to consider whether employees require any training to ensure that personal information is securely destroyed.
In November, OAIC published the COVIDSafe privacy report in accordance with s 94ZB of the Privacy Act, which examined compliance and risk throughout the ‘information lifecycle’ of COVID app data collected during the pandemic. Read the COVIDSafe Report May–November 2022 here.