In its recent 2023 Data Governance Report, the Governance Institute of Australia reported that less than a third of organisations regularly purge data. The most common period for data purging is annually, but it should be much more often.
Safeguarding data requires a proactive approach and regularly reviewing and updating data security and data retention and deletion policies and processes is an important step in protecting businesses, customers, and data from cyber criminals. Failure to do so creates a risk of breaching Australian privacy laws, and leaves businesses and customers vulnerable to cyber threats.
Under Australia’s Privacy Act, if a business to whom the Australian Privacy Principles applies (APP entity) holds personal information about an individual, the business must take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure (APP 11.1). If the business no longer needs the information for any purpose, it must take reasonable steps to destroy the information or ensure it is de-identified (APP 11.2).
Reports of recent cyber-attacks in Australia, where cyber criminals have reportedly fraudulently accessed over 15 million customer accounts and made thousands of online purchases, affecting businesses such as Dan Murphy’s, Event Cinemas and Guzman y Gomez, are a reminder how crucial it is for businesses to review their approach to data security and data retention.
As cyber attacks such as the ones recently reported become more prevalent and more sophisticated, it is important that businesses regularly turn their minds to deletion of unused customer data and inactive customer accounts. Taking proactive steps in this regard can assist in mitigating the impact of cyber threats.