The Office of the Australian Information Commissioner ("OAIC") has published a consultation draft "Privacy Business Resource" ("Resource"). The Resource reminds all businesses operating in Australia (and Federal Government agencies via a separate publication) that the existing privacy law and National Privacy Principles (or NPPs) require businesses to take reasonable steps to destroy or permanently de identify personal information that is no longer needed for any purpose for which the information may be used or disclosed (ie the purposes for which the business collected the information).

The OAIC is open to receiving comments on the Resource until 23 April but, in reality, it is unlikely the Resource will be significantly revised.

The "resource" publications of the OAIC are the lowest in the document hierarchy of OAIC documents. However, they do indicate areas of concern for or interest of the OAIC and therefore areas that, especially after 12 March 2014, the OAIC will focus on in terms of compliance.

The Current Requirements

NPP 4 requires that businesses take reasonable steps to destroy or permanently de identify personal information that is no longer needed for any purpose for which the information may be used or disclosed under NPP 2.

Also, as a general rule, information that does not need to include personal identifiers (for the purposes for which the business uses it) should be de-identified. Personal information should only be retained when required to meet a business objective or function.

While there is a temptation for many of us to keep as much information as possible for as long as possible (and keep it personally identifiable, if that is the way it was collected), the OAIC has reaffirmed that this is contrary to the current privacy law and NPPs.

Businesses operating in Australia should review the personal information they hold against the authorised purpose(s) for which it may be used (whether the express purposes specifically consented to via the acceptance of the privacy policy of the business, for example, or any legitimate secondary purpose(s) permitted by privacy law) and implement a process (ie take reasonable steps) to destroy or de identify that personal information for which the need/right to keep such personal identifiers for the authorised purpose(s) has been satisfied, expired or exhausted.

The New Requirements from 12 March 2014

The OAIC has also taken the opportunity in the Resource to highlight that, from 12 March 2014, the new privacy law and the new Australian Privacy Principles (or APPs), in particular APPs 4 and 11, include new and more stringent de-identification obligations for businesses operating in Australia to comply with.

APP 11.2, similar to NPP 4, requires that a business that holds personal information that it no longer needs for any purpose for which the information may be used (or disclosed) by the business under the APPs (and the business is not required to retain the information by law) must take such steps as are reasonable in the circumstances to destroy or de-identify the information.

APP 4.3 (a new privacy principle) requires that any unsolicited personal information received by the business that could not have been collected by the business pursuant to the APPs in the first place must, as soon as practicable, be destroyed or de-identified.

These APPs are more expansive than the existing NPP 4 and the new penalties from 12 March 2014 ($1.7 million for companies and $340,000 for individuals) for a serious invasion of privacy or repeated invasions of privacy should be enough of an incentive to refocus Australian businesses to comply with their obligations under the new privacy law. In respect of the de-identification obligations under the new privacy law, businesses are forewarned by the fact that the OAIC have identified this as an area of interest for them by publication of the Resources: that is, failure to address and comply with the destruction/de identification obligations post 12 March 2014, in particular, will be at your own peril!

Practical Measures

The Resource also discusses how a business might assess the various methods of de-identification, the techniques that a business might employ for doing so and the practical measures a business might consider taking to de-identify personal information. The OAIC lists common sense practical approaches in the Resource to such matters (which most businesses should be aware of). However, the much more fundamental takeaway from the publication of the Resource is that this, often overlooked obligation to de-identify, is now well and truly on the OAIC's radar.

What Action Should Australian Businesses Take Now?

All businesses operating and collecting or storing personal information in Australia should immediately consider their existing obligations and their future obligations under the APPs and, at the very least, comply with their current obligations under the NPPs in respect of destroying or permanently de-identifying certain of the personal information that such business holds.

Please contact us if you would like assistance the review/audit of your current compliance with NPP4 and/or what you need to do to comply with APPs 4 and 11 from 12 March 2014.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com